WO2023045472A1

WO2023045472A1 - Communication method, apparatus and system

Info

Publication number: WO2023045472A1
Application number: PCT/CN2022/103065
Authority: WO
Inventors: 李文正; 朱强华; 吴问付
Original assignee: 华为技术有限公司
Priority date: 2021-09-26
Filing date: 2022-06-30
Publication date: 2023-03-30
Also published as: CN115884177A

Abstract

Disclosed in the present application are a communication method, apparatus and system for improving the security of data transmission. The method comprises: a first communication device in a mobile communication system sending a first request to a second communication device, so as to request that whether a terminal device can realize a first service is authenticated; and after receiving an authentication result from the second communication device, the first communication device determining, according to the authentication result, whether to provide the first service for the terminal device. By means of the solution, a first communication device can obtain an authentication result of whether a terminal device can realize a requested service, and according to the authentication result, a mobile communication system where the first communication device is located can provide the terminal device with a successfully authenticated service, and does not provide the terminal device with a service which is not successfully authenticated, such that the security of data transmission can be improved.

Description

一种通信方法、装置及***A communication method, device and system

相关申请的交叉引用Cross References to Related Applications

本申请要求在2021年09月26日提交中国专利局、申请号为202111130972.9、申请名称为“一种通信方法、装置及***”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202111130972.9 and the application name "A communication method, device and system" submitted to the China Patent Office on September 26, 2021, the entire contents of which are incorporated in this application by reference middle.

技术领域technical field

本申请涉及通信技术领域，尤其涉及一种通信方法、装置及***。The present application relates to the technical field of communication, and in particular to a communication method, device and system.

背景技术Background technique

在通信领域，移动通信***可以为终端设备提供多种业务的传输通道。例如，移动通信***可以为终端设备的通话业务、视频业务、网页业务等提供业务数据传输的通道。为了提高数据传输的安全性，移动通信***在为终端设备提供数据传输的通道之前，会对终端设备进行鉴权认证。In the communication field, the mobile communication system can provide transmission channels for various services for terminal equipment. For example, the mobile communication system can provide service data transmission channels for the call service, video service, web page service, etc. of the terminal equipment. In order to improve the security of data transmission, the mobile communication system will perform authentication on the terminal equipment before providing the data transmission channel for the terminal equipment.

目前，移动通信***可以根据终端设备的签约信息，对终端设备进行鉴权认证。其中，签约信息与终端设备的身份信息有关。At present, the mobile communication system can perform authentication on the terminal device according to the subscription information of the terminal device. Wherein, the subscription information is related to the identity information of the terminal device.

然而，该方法无法适应各种复杂的情况，进而影响数据传输的安全性。However, this method cannot adapt to various complex situations, which affects the security of data transmission.

发明内容Contents of the invention

本申请提供一种通信方法、装置及***，用以提高数据传输的安全性。The present application provides a communication method, device and system to improve the security of data transmission.

第一方面，本申请实施例提供了一种通信方法。该方法可以适用于下文中图1-4所示的通信***中。该方法包括：移动通信***中的第一通信设备可以通过向第二通信设备发送第一请求来请求对所述终端设备是否能够实现第一业务进行认证，其中，所述第一请求包括用于指示终端设备请求的所述第一业务的第一业务指示信息。在接收到来自所述第二通信设备的第一响应之后，所述第一通信设备可以根据第一响应中的认证结果来确定是否为所述终端设备提供所述第一业务，其中，所述第一响应可以包括所述第二通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的认证结果。In a first aspect, the embodiment of the present application provides a communication method. This method can be applied to the communication system shown in Figs. 1-4 below. The method includes: the first communication device in the mobile communication system may send a first request to the second communication device to request whether the terminal device can implement the first service, wherein the first request includes indicating the first service indication information of the first service requested by the terminal device. After receiving the first response from the second communication device, the first communication device may determine whether to provide the first service for the terminal device according to the authentication result in the first response, wherein the The first response may include an authentication result obtained by the second communication device authenticating whether the terminal device can implement the first service.

通过该方法，所述第一通信设备可以获得对终端设备是否能够实现请求的业务进行认证的认证结果，根据认证结果，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through this method, the first communication device can obtain an authentication result for authenticating whether the terminal device can realize the requested service, and according to the authentication result, the mobile communication system where the first communication device is located can provide authentication for the terminal device Successful services do not provide terminal devices with services that fail authentication, thereby improving the security of data transmission.

在一种可能的设计中，所述第一通信设备可以在接收到来自第三通信设备的第二请求之后，向所述第二通信设备发送所述第一请求。其中，所述第二请求包括所述第一业务指示信息；所述第二请求为注册请求或第一会话建立请求。In a possible design, the first communication device may send the first request to the second communication device after receiving the second request from the third communication device. Wherein, the second request includes the first service indication information; and the second request is a registration request or a first session establishment request.

通过该设计，在注册流程或会话建立流程中，所述第一通信设备可以获得对终端设备是否能够实现请求的业务进行认证的认证结果，根据认证结果，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为所述终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through this design, in the registration process or session establishment process, the first communication device can obtain the authentication result of authenticating whether the terminal device can realize the requested service, and according to the authentication result, the mobile communication device where the first communication device is located The system can provide the terminal equipment with a service of successful authentication, and not provide the terminal equipment with a service of authentication failure, thereby improving the security of data transmission.

在一种可能的设计中，所述第一业务包含至少一个业务，所述认证结果包括：所述终端设备能够实现所述第一业务中的第二业务。当所述第二请求为所述注册请求时，所述第一通信设备为接入和移动管理功能AMF，所述第二通信设备为认证服务器功能AUSF和/或网络切片选择的认证和授权功能NSSAAF，所述第三通信设备为所述终端设备或所述终端设备接入的接入网AN设备。在接收到来自所述第二通信设备的第一响应之后，所述第一通信设备可以通过但不限于以下方式接受或拒绝会话建立请求：In a possible design, the first service includes at least one service, and the authentication result includes: the terminal device is capable of implementing a second service in the first service. When the second request is the registration request, the first communication device is an access and mobility management function AMF, and the second communication device is an authentication server function AUSF and/or an authentication and authorization function selected by a network slice NSSAAF, the third communication device is the terminal device or an access network AN device accessed by the terminal device. After receiving the first response from the second communication device, the first communication device may accept or reject the session establishment request in the following ways, but not limited to:

方式1：Method 1:

所述第一通信设备可以向统一数据管理UDM发送第一消息，其中，所述第一消息包括：用于指示所述第二业务的第二业务指示信息；The first communication device may send a first message to UDM, where the first message includes: second service indication information used to indicate the second service;

所述第一通信设备在接收到来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求之后，向SMF发送第三请求。其中，所述第二会话建立请求可以包括第三业务指示信息，所述第三业务指示信息用于指示所述终端设备请求执行的第三业务；所述第三请求可以包括所述第三业务指示信息，所述第三请求可以请求所述SMF根据从所述UDM获取的所述第二业务指示信息和所述第三业务指示信息，接受或拒绝所述第二会话建立请求。The first communication device sends a third request to the SMF after receiving the second session establishment request from the terminal device or the AN device accessed by the terminal device. Wherein, the second session establishment request may include third service indication information, and the third service indication information is used to indicate the third service requested by the terminal device; the third request may include the third service indication information, the third request may request the SMF to accept or reject the second session establishment request according to the second service indication information and the third service indication information acquired from the UDM.

通过该方式，在注册流程中，所述UDM可以获取存储所述终端设备能够实现的第二业务的第二业务指示信息(即，认证成功的业务的业务指示信息)，在后续会话建立流程中，SMF可以根据从UDM获取的注册流程中的认证结果(包括：所述第二业务指示信息)，接受或拒绝会话建立请求，从而所述移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，进而可以提高数据传输的安全性。In this way, in the registration process, the UDM can obtain and store the second service indication information of the second service that the terminal device can implement (that is, the service indication information of the service that is successfully authenticated), and in the subsequent session establishment process , the SMF can accept or reject the session establishment request according to the authentication result in the registration process obtained from the UDM (including: the second service indication information), so that the mobile communication system can provide the terminal device with a service of successful authentication, and The service of authentication failure is not provided, thereby improving the security of data transmission.

方式2：Method 2:

所述第一通信设备可以保存用于指示所述第二业务的第二业务指示信息；所述第一通信设备在接收到来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求之后，根据本地存储的所述第二业务指示信息，接受或拒绝所述第二会话建立请求。其中，所述第二会话建立请求包括第三业务指示信息，所述第三业务指示信息用于指示所述终端设备请求执行的第三业务。The first communication device may save the second service indication information used to indicate the second service; the first communication device receives the second service indication information from the terminal device or the AN device accessed by the terminal device. After the session establishment request, accept or reject the second session establishment request according to the locally stored second service indication information. Wherein, the second session establishment request includes third service indication information, and the third service indication information is used to indicate the third service requested to be executed by the terminal device.

可选的，当所述终端设备能够实现的所述第二业务中包含所述第三业务时，所述第一通信设备可以接受所述第二会话建立请求，否则，所述第一通信设备可以拒绝所述第二会话建立请求。Optionally, when the second service that can be implemented by the terminal device includes the third service, the first communication device may accept the second session establishment request; otherwise, the first communication device The second session establishment request may be denied.

通过该方式，在注册流程中，所述第一通信设备可以保存所述终端设备能够实现所述第一业务中的第二业务的业务指示信息(即，认证成功的业务的业务指示信息)，在后续会话建立流程中，所述第一通信设备可以根据本地保存的注册流程中的认证结果(包括：所述第二业务指示信息)，接受或拒绝会话建立请求，从而所述移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，进而可以提高数据传输的安全性。In this way, in the registration process, the first communication device may save the service indication information that the terminal device can implement the second service in the first service (that is, the service indication information of the successfully authenticated service), In the subsequent session establishment process, the first communication device may accept or reject the session establishment request according to the locally saved authentication result in the registration process (including: the second service indication information), so that the mobile communication system can The service of successful authentication is provided to the terminal device, and the service of failed authentication is not provided, thereby improving the security of data transmission.

在一种可能的设计中，当所述第二请求为所述注册请求时，所述第一通信设备可以为AMF，所述第二通信设备可以为NSSAAF，所述第三通信设备可以为所述终端设备或所述终端设备接入的AN设备，所述第二请求还可以包括：第一网络切片指示信息；其中，所述第一网络切片指示信息用于指示所述终端设备请求接入的第一网络切片；所述第一请求还可以包括：所述第一网络切片指示信息；所述认证结果可以为所述第二通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证得到的。In a possible design, when the second request is the registration request, the first communication device may be the AMF, the second communication device may be the NSSAAF, and the third communication device may be the The terminal device or the AN device accessed by the terminal device, the second request may further include: first network slice indication information; wherein the first network slice indication information is used to instruct the terminal device to request access the first network slice; the first request may also include: indication information of the first network slice; the authentication result may be the second communication device’s confirmation of whether the terminal device can operate in the first network slice obtained by implementing the first service through authentication.

通过该设计，在注册流程中，所述第一通信设备可以获得对终端设备是否能够在所述终端设备请求的网络切片上实现请求的业务进行认证的认证结果，根据认证结果，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through this design, in the registration process, the first communication device can obtain an authentication result for authenticating whether the terminal device can implement the requested service on the network slice requested by the terminal device. According to the authentication result, the first communication device The mobile communication system where the communication device is located can provide the terminal device with a service of successful authentication, and not provide the terminal device with a service of authentication failure, thereby improving the security of data transmission.

在一种可能的设计中，所述第一业务可以包含至少一个业务，所述第一网络切片可以包括至少一个网络切片，所述认证结果可以包括：所述终端设备能够在所述第一网络切片中的第二网络切片上实现所述第一业务中的第四业务；在接收来自所述第二通信设备的第一响应之后，所述第一通信设备可以通过但不限于以下方式接受或拒绝会话建立请求：In a possible design, the first service may include at least one service, the first network slice may include at least one network slice, and the authentication result may include: the terminal device can implementing the fourth service in the first service on the second network slice in the slice; after receiving the first response from the second communication device, the first communication device may accept or Deny session establishment request:

方式一：method one:

所述第一通信设备向UDM发送第二消息；其中，所述第二消息包括：第二网络切片指示信息和第四业务指示信息，其中，所述第二网络切片指示信息用于指示所述第二网络切片，所述第四业务指示信息用于指示所述终端设备能够在所述第二网络切片上实现的所述第四业务；The first communication device sends a second message to the UDM; wherein the second message includes: second network slice indication information and fourth service indication information, wherein the second network slice indication information is used to indicate the A second network slice, where the fourth service indication information is used to indicate the fourth service that the terminal device can implement on the second network slice;

所诉第一通信设备在接收到来自所述终端设备或所述终端设备接入的AN设备的第三会话建立请求之后，向SMF发送第四请求；其中，所述第三会话建立请求包括第三网络切片指示信息和第五业务指示信息，其中，所述第三网络切片指示信息用于指示第三网络切片，所述第五业务指示信息用于指示所述终端设备请求在所述第三网络切片上执行的第五业务；所述第四请求包括所述第三网络切片指示信息和所述第五业务指示信息，所述第四请求用于请求所述SMF根据从所述UDM获取的所述第二网络切片指示信息和第四业务指示信息、以及所述第三网络切片指示信息和所述第五业务指示信息，接受或拒绝所述第二会话建立请求。After the first communication device receives the third session establishment request from the terminal device or the AN device accessed by the terminal device, it sends a fourth request to the SMF; wherein, the third session establishment request includes the first Three network slice indication information and fifth service indication information, wherein the third network slice indication information is used to indicate the third network slice, and the fifth service indication information is used to indicate that the terminal device requests to be in the third network slice The fifth service executed on the network slice; the fourth request includes the third network slice indication information and the fifth service indication information, and the fourth request is used to request the SMF to The second network slice indication information and the fourth service indication information, and the third network slice indication information and the fifth service indication information accept or reject the second session establishment request.

通过该方式，在注册流程中，所述UDM可以获取到第四业务指示信息(即，认证成功的业务的业务指示信息)和第二网络切片指示信息(即，认证成功的网络切片的网络切片指示信息)，在后续会话建立流程中，SMF可以根据从UDM获取的注册流程中的认证结果(包括：所述第二网络切片指示信息和所述第四业务指示信息)，接受或拒绝会话建立请求，从而所述移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，进而可以提高数据传输的安全性。In this way, in the registration process, the UDM can obtain the fourth service indication information (that is, the service indication information of the successfully authenticated service) and the second network slice indication information (that is, the network slice of the successfully authenticated network slice) indication information), in the subsequent session establishment process, the SMF may accept or reject the session establishment according to the authentication result obtained from the UDM in the registration process (including: the second network slice indication information and the fourth service indication information) request, so that the mobile communication system can provide the terminal equipment with services of successful authentication, but not of services of failed authentication, thereby improving the security of data transmission.

方式二：Method 2:

所述第一通信设备保存第二网络切片指示信息和第四业务指示信息，其中，所述第二网络切片指示信息用于指示所述第二网络切片，所述第四业务指示信息用于指示所述终端设备能够在所述第二网络切片上实现的所述第四业务；The first communication device stores second network slice indication information and fourth service indication information, wherein the second network slice indication information is used to indicate the second network slice, and the fourth service indication information is used to indicate The fourth service that the terminal device can implement on the second network slice;

所述第一通信设备在接收到来自所述终端设备或所述终端设备接入的AN设备的第二三会话建立请求之后，可以根据本地存储的所述第二网络切片指示信息和所述第四业务指示信息，接受或拒绝所述第三会话建立请求。其中，所述第三会话建立请求包括第三网络切片指示信息和第五业务指示信息，其中，所述第三网络切片指示信息用于指示第三网络切片，所述第五业务指示信息用于指示所述终端设备请求在所述第三网络切片上执行的第五业务。After the first communication device receives the second or third session establishment request from the terminal device or the AN device accessed by the terminal device, it may, according to the locally stored second network slice indication information and the second 4. Service indication information, accepting or rejecting the third session establishment request. Wherein, the third session establishment request includes third network slice indication information and fifth service indication information, wherein the third network slice indication information is used to indicate the third network slice, and the fifth service indication information is used to Instructing the terminal device to request the fifth service executed on the third network slice.

可选的，当所述第二网络切片包含所述第三网络切片，且所述第四业务包含所述第五业务时，所述第一通信设备可以接受所述第三会话建立请求，否则，所述第一通信设备可以拒绝所述第三会话建立请求。Optionally, when the second network slice includes the third network slice, and the fourth service includes the fifth service, the first communication device may accept the third session establishment request, otherwise , the first communications device may reject the third session establishment request.

通过该方式，在注册流程中，所述第一通信设备可以保存第四业务指示信息(即，认证成功的业务的业务指示信息)和第二网络切片指示信息(即，认证成功的网络切片的网络切片指示信息)，在后续会话建立流程中，所述第一通信设备可以根据本地保存的注册流程中的认证结果(包括：第二网络切片指示信息和第四业务指示信息)，接受或拒绝会话建立请求，从而所述移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，进而可以提高数据传输的安全性。In this way, in the registration process, the first communication device can save the fourth service indication information (that is, the service indication information of the successfully authenticated service) and the second network slice indication information (that is, the service indication information of the successfully authenticated network slice). network slicing indication information), in the subsequent session establishment process, the first communication device may accept or reject the authentication result in the locally saved registration process (including: the second network slice indication information and the fourth service indication information). The session establishment request, so that the mobile communication system can provide the terminal equipment with a service of successful authentication, but not a service of failed authentication, thereby improving the security of data transmission.

在一种可能的设计中，第二请求还可以包括以下至少一项：第一指示信息、第二指示信息，其中，所述第一指示信息用于指示需要对所述终端设备是否能够实现所述第一业务进行认证，所述第二指示信息用于指示执行认证处理的通信设备。In a possible design, the second request may further include at least one of the following: first indication information and second indication information, where the first indication information is used to indicate whether the terminal device can implement the required The first service is authenticated, and the second indication information is used to indicate the communication device performing the authentication process.

在一种可能的设计中，当所述第一通信设备为AMF或SMF时，在向第二通信设备发送第一请求之前，所述第一通信设备可以根据所述第一业务指示信息，确定所述第二通信设备；其中，所述第二通信设备为AUSF、NSSAAF、UDM或所述移动通信***之外的AAA服务器中的至少一项。In a possible design, when the first communication device is AMF or SMF, before sending the first request to the second communication device, the first communication device may determine according to the first service indication information The second communication device; wherein, the second communication device is at least one of AUSF, NSSAAF, UDM or an AAA server outside the mobile communication system.

在一种可能的设计中，当所述第一通信设备为AMF或SMF时，在接收来自所述第二通信设备的第一响应之后，所述第一通信设备可以根据所述认证结果，向所述终端设备发送第三消息；其中，所述第三消息包含以下至少一项：In a possible design, when the first communication device is an AMF or SMF, after receiving the first response from the second communication device, the first communication device may, according to the authentication result, send The terminal device sends a third message; wherein, the third message includes at least one of the following:

用于指示所述终端设备能够实现的业务的第六业务指示信息；Sixth service indication information used to indicate the services that the terminal device can implement;

用于指示所述终端设备不能实现的业务的第七业务指示信息；seventh service indication information used to indicate services that the terminal device cannot implement;

用于指示所述终端设备能够接入的网络切片的第四网络切片指示信息，以及用于指示在所述网络切片上所述终端设备能够实现的业务的第八业务指示信息；Fourth network slice indication information for indicating a network slice that the terminal device can access, and eighth service indication information for indicating a service that the terminal device can implement on the network slice;

用于指示所述终端设备能够接入的网络切片的第五网络切片指示信息，以及用于指示在所述网络切片上所述终端设备不能够实现的业务的第九业务指示信息；Fifth network slice indication information for indicating a network slice that the terminal device can access, and ninth service indication information for indicating a service that the terminal device cannot implement on the network slice;

用于指示所述终端设备不能接入的网络切片的第六网络切片指示信息，以及用于指示在所述网络切片上所述终端设备请求的业务的第十业务指示信息。Sixth network slice indication information used to indicate a network slice that the terminal device cannot access, and tenth service indication information used to indicate a service requested by the terminal device on the network slice.

通过该设计，所述第一通信设备可以将认证结果通知给所述终端设备。With this design, the first communication device can notify the terminal device of the authentication result.

在一种可能的设计中，当所述第一通信设备为AMF时，在接收来自所述第二通信设备的第一响应之后，所述第一通信设备可以向所述终端设备发送第四消息；其中，所述第四消息可以触发所述终端设备根据本地存储的认证信息，对所述终端设备是否能在所述移动通信***中实现所述第一业务进行认证，所述认证信息包括业务的认证信息。In a possible design, when the first communication device is an AMF, after receiving the first response from the second communication device, the first communication device may send a fourth message to the terminal device ; Wherein, the fourth message may trigger the terminal device to authenticate whether the terminal device can implement the first service in the mobile communication system according to locally stored authentication information, the authentication information including service authentication information.

通过该设计，所述终端设备可以根据本地存储的业务的认证信息，对所述终端设备是否能在所述移动通信***中实现请求的业务进行认证，这样，终端设备可以使用认证成功的业务，不使用认证失败的业务，从而可以提高数据传输的安全性。Through this design, the terminal device can authenticate whether the terminal device can implement the requested service in the mobile communication system according to the authentication information of the service stored locally, so that the terminal device can use the service with successful authentication, Services that fail authentication are not used, thereby improving the security of data transmission.

在一种可能的设计中，所述第一业务指示信息可以包括以下至少一项：所述第一业务的标识、所述第一业务的类型的指示信息、所述第一业务的提供商的指示信息。In a possible design, the first service indication information may include at least one of the following: the identifier of the first service, the indication information of the type of the first service, the information of the provider of the first service Instructions.

第二方面，本申请实施例提供了一种通信方法。该方法可以适用于下文中图1-4所示的通信***中。该方法包括：第二通信设备在接收到来自移动通信***中的第一通信设备的第一请求之后，对所述终端设备是否能够实现所述终端设备请求的第一业务进行认证。其中，所述第一请求可以包括用于指示所述第一业务的第一业务指示信息，所述第一请求用于请求对终端设备是否能够实现所述第一业务进行认证。所述第二通信设备向所述第一通信设备发送第一响应；其中，所述第一响应可以包括所述第二通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的第一认证结果，所述第一认证结果可以用于所述第一通信设备确定是否为所述终端设备提供所述第一业务。In a second aspect, the embodiment of the present application provides a communication method. This method can be applied to the communication system shown in Figs. 1-4 below. The method includes: after receiving the first request from the first communication device in the mobile communication system, the second communication device authenticates whether the terminal device can realize the first service requested by the terminal device. Wherein, the first request may include first service indication information used to indicate the first service, and the first request is used to request authentication on whether the terminal device can implement the first service. The second communication device sends a first response to the first communication device; wherein the first response may include information obtained by the second communication device from authenticating whether the terminal device can implement the first service A first authentication result, the first authentication result may be used by the first communication device to determine whether to provide the first service for the terminal device.

通过该方法，所述第二通信设备可以对终端设备是否能够实现请求的业务进行认证，并将认证结果发送给所述第一通信设备，这样，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through this method, the second communication device can authenticate whether the terminal device can realize the requested service, and send the authentication result to the first communication device, so that the mobile communication system where the first communication device is located can The service of successful authentication is provided to the terminal device, and the service of failed authentication is not provided to the terminal device, so that the security of data transmission can be improved.

在一种可能的设计中，所述第二通信设备可以通过以下方式进行认证：所述第二通信设备在向第四通信设备发送第五请求之后，接收来自所述第四通信设备的第五响应，并根据所述第五响应中的第二认证结果，对所述终端设备是否能够实现所述第一业务进行认证，得到所述第一认证结果。其中，所述第五请求可以包括：所述第一业务指示信息，所述第五请求用于请求所述第四通信设备对所述终端设备是否能够实现所述第一业务进行认证，所述第五响应可以包括第四通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的第二认证结果。In a possible design, the second communication device may perform authentication in the following manner: after the second communication device sends the fifth request to the fourth communication device, it receives the fifth request from the fourth communication device. response, and according to the second authentication result in the fifth response, authenticate whether the terminal device can implement the first service, and obtain the first authentication result. Wherein, the fifth request may include: the first service indication information, the fifth request is used to request the fourth communication device to authenticate whether the terminal device can implement the first service, the The fifth response may include a second authentication result obtained by the fourth communication device authenticating whether the terminal device can implement the first service.

通过该设计，所述第二通信设备可以和所述第四通信设备联合对所述终端设备是否能够实现所述业务进行认证，所述第一通信设备在获得认证结果之后，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through this design, the second communication device and the fourth communication device can jointly authenticate whether the terminal device can realize the service, and after the first communication device obtains the authentication result, the first communication The mobile communication system where the device is located can provide the terminal device with a service of successful authentication, and not provide the terminal device with a service of authentication failure, thereby improving the security of data transmission.

在一种可能的设计中，所述第一请求还可以包括：第一网络切片指示信息，所述第一网络切片指示信息可以指示所述终端设备请求接入的第一网络切片所述。在这种情况下，所述第二通信设备可以对所述终端设备是否能在所述第一网络切片上实现所述第一业务进行认证；所述第一认证结果可以为所述第二通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证得到的。In a possible design, the first request may further include: first network slice indication information, where the first network slice indication information may indicate the first network slice that the terminal device requests to access. In this case, the second communication device may authenticate whether the terminal device can implement the first service on the first network slice; the first authentication result may be the second communication obtained by the device authenticating whether the terminal device can implement the first service on the first network slice.

通过该设计，在注册流程中，所述第二通信设备可以对终端设备是否能够在所述终端设备请求的网络切片上实现请求的业务进行认证，并将认证结果发送给所述第一通信设备，这样，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through this design, in the registration process, the second communication device can authenticate whether the terminal device can implement the requested service on the network slice requested by the terminal device, and send the authentication result to the first communication device In this way, the mobile communication system where the first communication device is located can provide the terminal device with a service of successful authentication, and not provide the terminal device with a service of authentication failure, thereby improving the security of data transmission.

在一种可能的设计中，所述第二通信设备可以通过以下方式进行认证：In a possible design, the second communication device may perform authentication in the following manner:

所述第二通信设备在向第四通信设备发送第六请求之后，接收来自所述第二通信设备的第六响应，并根据第六响应中的第二认证结果，对所述终端设备是否能够实现所述第一业务进行认证，得到所述第一认证结果。其中，所述第六请求可以包括：所述第一网络切片指示信息和所述第一业务指示信息，所述第六请求可以请求所述第四通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证；所述第六响应可以包括第四通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证得到的第二认证结果。After the second communication device sends the sixth request to the fourth communication device, it receives a sixth response from the second communication device, and according to the second authentication result in the sixth response, determines whether the terminal device can Realize the first service for authentication, and obtain the first authentication result. Wherein, the sixth request may include: the first network slice indication information and the first service indication information, and the sixth request may request the fourth communication device to check whether the terminal device can Implementing the first service on the first network slice for authentication; the sixth response may include a result obtained by the fourth communication device authenticating whether the terminal device can implement the first service on the first network slice Second authentication result.

通过该设计，所述第二通信设备可以和所述第四通信设备联合对所述终端设备是否能够在请求的网络切片实现所述业务进行认证，所述第一通信设备在获得认证结果之后，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through this design, the second communication device can jointly authenticate with the fourth communication device whether the terminal device can realize the service in the requested network slice, and after the first communication device obtains the authentication result, The mobile communication system where the first communication device is located can provide the terminal device with a service of successful authentication, and not provide the terminal device with a service of authentication failure, thereby improving the security of data transmission.

在一种可能的设计中，所述第二通信设备可以为AUSF，所述第四通信设备可以为UDM；或者所述第二通信设备可以为NSSAAF，所述第四通信设备可以为所述移动通信***之外的AAA服务器。In a possible design, the second communication device may be AUSF, and the fourth communication device may be UDM; or the second communication device may be NSSAAF, and the fourth communication device may be the mobile AAA server outside the communication system.

在一种可能的设计中，所述第二通信设备可以根据本地存储的认证信息，对所述终端设备是否能在所述移动通信***中实现所述第一业务进行认证，所述认证信息包括业务的认证信息。In a possible design, the second communication device may authenticate whether the terminal device can implement the first service in the mobile communication system according to locally stored authentication information, and the authentication information includes Authentication information for the business.

通过该设计，所述第二通信设备可以根据本地存储的业务的认证信息，对所述终端设备是否能在所述移动通信***中实现请求的业务进行认证。这样，在所述第一通信设备获取到认证结果之后，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为终端设备提供认证失败的业务，从而可以提高数据传输的安全性。With this design, the second communication device can authenticate whether the terminal device can implement the requested service in the mobile communication system according to the locally stored service authentication information. In this way, after the first communication device obtains the authentication result, the mobile communication system where the first communication device is located can provide the terminal device with the service of successful authentication, and not provide the terminal device with the service of authentication failure, so that Improve the security of data transmission.

第三方面，本申请实施例提供了一种通信装置，包括用于执行以上任一方面中各个步骤的单元。In a third aspect, the embodiment of the present application provides a communication device, including a unit configured to perform each step in any one of the above aspects.

第四方面，本申请实施例提供了一种通信设备，包括至少一个处理元件和至少一个存储元件，其中该至少一个存储元件用于存储程序和数据，该至少一个处理元件用于读取并执行存储元件存储的程序和数据，以使得本申请以上任一方面提供的方法被实现。In a fourth aspect, the embodiment of the present application provides a communication device, including at least one processing element and at least one storage element, wherein the at least one storage element is used to store programs and data, and the at least one processing element is used to read and execute The program and data stored in the storage element enable the method provided by any one of the above aspects of the present application to be realized.

第五方面，本申请实施例提供了一种通信***，包括：用于执行第一方面提供的方法的第一通信设备，用于执行第二方面提供的方法的第二通信设备。In a fifth aspect, an embodiment of the present application provides a communication system, including: a first communication device configured to execute the method provided in the first aspect, and a second communication device configured to execute the method provided in the second aspect.

第六方面，本申请实施例还提供了一种计算机程序，当所述计算机程序在计算机上运行时，使得所述计算机执行上述任一方面提供的方法。In a sixth aspect, the embodiment of the present application further provides a computer program, which, when the computer program is run on a computer, causes the computer to execute the method provided in any one of the above aspects.

第七方面，本申请实施例还提供了一种计算机可读存储介质，所述计算机可读存储介质中存储有计算机程序，当所述计算机程序被计算机执行时，使得所述计算机执行上述任一方面提供的方法。In the seventh aspect, the embodiment of the present application also provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a computer, the computer executes any one of the above-mentioned method provided.

第八方面，本申请实施例还提供了一种芯片，所述芯片用于读取存储器中存储的计算机程序，执行上述任一方面提供的方法。In an eighth aspect, the embodiment of the present application further provides a chip, the chip is used to read a computer program stored in a memory, and execute the method provided in any one of the above aspects.

第九方面，本申请实施例还提供了一种芯片***，该芯片***包括处理器，用于支持计算机装置实现上述任一方面提供的方法。在一种可能的设计中，所述芯片***还包括存储器，所述存储器用于保存该计算机装置必要的程序和数据。该芯片***可以由芯片构成，也可以包含芯片和其他分立器件。In a ninth aspect, the embodiment of the present application further provides a chip system, where the chip system includes a processor, configured to support a computer device to implement the method provided in any one of the above aspects. In a possible design, the chip system further includes a memory, and the memory is used to store necessary programs and data of the computer device. The system-on-a-chip may consist of chips, or may include chips and other discrete devices.

上述第三方面至第九方面中任一方面可以达到的技术效果可以参照上述第一方面或第二方面中任一方面中任一种可能设计可以达到的技术效果说明，重复之处不予论述。The technical effects that can be achieved by any one of the above-mentioned third to ninth aspects can be described with reference to the technical effects that can be achieved by any possible design of any one of the above-mentioned first or second aspects, and the repetition will not be discussed .

附图说明Description of drawings

图1为本申请实施例提供的一种通信***的架构图；FIG. 1 is an architecture diagram of a communication system provided by an embodiment of the present application;

图2为本申请实施例提供的另一种通信***的架构图；FIG. 2 is an architecture diagram of another communication system provided by an embodiment of the present application;

图3为本申请实施例提供的又一种通信***的架构图；FIG. 3 is an architecture diagram of another communication system provided by an embodiment of the present application;

图4为本申请实施例提供的再一种通信***的架构图；FIG. 4 is an architecture diagram of another communication system provided by an embodiment of the present application;

图5为本申请实施例提供的第一种通信方法的流程图；FIG. 5 is a flow chart of the first communication method provided by the embodiment of the present application;

图6为本申请实施例的一种应用场景示意图；FIG. 6 is a schematic diagram of an application scenario of an embodiment of the present application;

图7为本申请实施例的另一种应用场景示意图；FIG. 7 is a schematic diagram of another application scenario of the embodiment of the present application;

图8为本申请实施例提供的第二种通信方法的流程图；FIG. 8 is a flowchart of a second communication method provided by an embodiment of the present application;

图9为本申请实施例提供的第二种通信方法中的一种认证方法的流程图；FIG. 9 is a flow chart of an authentication method in the second communication method provided by the embodiment of the present application;

图10为本申请实施例提供的第二种通信方法中的另一种认证方法的流程图；FIG. 10 is a flowchart of another authentication method in the second communication method provided by the embodiment of the present application;

图11为本申请实施例提供的第二种通信方法中的又一种认证方法的流程图；FIG. 11 is a flowchart of another authentication method in the second communication method provided by the embodiment of the present application;

图12为本申请实施例提供的第三种和第六种通信方法的流程图；FIG. 12 is a flow chart of the third and sixth communication methods provided by the embodiment of the present application;

图13为本申请实施例提供的第四种、第五种和第七种通信方法的流程图；FIG. 13 is a flow chart of the fourth, fifth and seventh communication methods provided by the embodiment of the present application;

图14为本申请实施例提供的第五种通信方法的一种认证方法的流程图；FIG. 14 is a flow chart of an authentication method of the fifth communication method provided in the embodiment of the present application;

图15为本申请实施例提供的第六种通信方法的一种认证方法的流程图；FIG. 15 is a flowchart of an authentication method of the sixth communication method provided in the embodiment of the present application;

图16为本申请实施例提供的第六种通信方法的另一种认证方法的流程图；FIG. 16 is a flowchart of another authentication method of the sixth communication method provided in the embodiment of the present application;

图17为本申请实施例提供的一种通信装置的结构图；FIG. 17 is a structural diagram of a communication device provided by an embodiment of the present application;

图18为本申请实施例提供的一种通信设备的结构图。FIG. 18 is a structural diagram of a communication device provided by an embodiment of the present application.

具体实施方式Detailed ways

本申请提供一种通信方法、装置及***，用以提高数据传输的安全性。其中，方法、装置和***是基于同一技术构思的，由于解决问题的原理相似，因此装置、***与方法的实施可以相互参见，重复之处不再赘述。The present application provides a communication method, device and system to improve the security of data transmission. Among them, the method, device and system are based on the same technical conception. Since the principles of solving the problems are similar, the implementation of the device, system and method can be referred to each other, and the repetition will not be repeated.

通过本申请实施例提供的方案，移动通信***中的第一通信设备可以第二通信设备发送第一请求，请求对所述终端设备是否能够实现第一业务进行认证；在接收到来自所述第二通信设备的认证结果之后，所述第一通信设备可以根据所述认证结果，确定是否为所述终端设备提供所述第一业务。通过该方案，所述第一通信设备可以获得对终端设备是否能够实现请求的业务进行认证的认证结果，根据所述认证结果，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为所述终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through the solution provided by the embodiment of this application, the first communication device in the mobile communication system can send a first request to the second communication device to request whether the terminal device can realize the first service; After the authentication result of the second communication device, the first communication device may determine whether to provide the first service for the terminal device according to the authentication result. Through this solution, the first communication device can obtain an authentication result for authenticating whether the terminal device can realize the requested service, and according to the authentication result, the mobile communication system where the first communication device is located can be the terminal device The service of successful authentication is provided, and the service of failed authentication is not provided to the terminal device, so that the security of data transmission can be improved.

以下，对本申请实施例中的部分用语进行解释说明，以便于本领域技术人员理解。In the following, some terms used in the embodiments of the present application are explained, so as to facilitate the understanding of those skilled in the art.

1)、通信设备，泛指具有通信功能的设备。示例性的，所述通信设备可以但不限于为终端设备、接入网(access network，AN)设备、接入点、核心网(core network，CN)设备等。1) Communication equipment, generally refers to equipment with communication functions. Exemplarily, the communication device may be, but not limited to, a terminal device, an access network (access network, AN) device, an access point, a core network (core network, CN) device, and the like.

2)、终端设备，是一种向用户提供语音和/或数据连通性的设备。终端设备可以为用户提供与网络进行交互的入口。例如，终端设备可以向用户显示业务窗口，接受用户的操作输入等。下一代终端设备可以采用新空口(new radio，NR)技术，与AN设备建立连接，从而和移动通***交互控制信号和业务数据。终端设备又可以称为用户设备(user equipment，UE)、移动台(mobile station，MS)、移动终端(mobile terminal，MT)等。2) A terminal device is a device that provides voice and/or data connectivity to users. Terminal devices can provide users with access to interact with the network. For example, the terminal device can display a service window to the user, accept user's operation input, and so on. Next-generation terminal equipment can use new radio (NR) technology to establish a connection with AN equipment, thereby exchanging control signals and service data with the mobile communication system. The terminal equipment may also be called user equipment (user equipment, UE), mobile station (mobile station, MS), mobile terminal (mobile terminal, MT) and so on.

例如，终端设备可以为具有无线连接功能的手持式设备、车载设备等。目前，一些终端设备的举例为：手机(mobile phone)、平板电脑、笔记本电脑、掌上电脑、移动互联网设备(mobile internet device，MID)、可穿戴设备，虚拟现实(virtual reality，VR)设备、增强现实(augmented reality，AR)设备、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程手术(remote medical surgery)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。For example, the terminal device may be a handheld device with a wireless connection function, a vehicle-mounted device, and the like. At present, examples of some terminal devices are: mobile phone (mobile phone), tablet computer, notebook computer, palmtop computer, mobile internet device (mobile internet device, MID), wearable device, virtual reality (virtual reality, VR) device, enhanced Augmented reality (AR) equipment, wireless terminals in industrial control, wireless terminals in self driving, wireless terminals in remote medical surgery, smart grid Wireless terminals in transportation safety, wireless terminals in smart city, wireless terminals in smart home, etc.

3)、AN设备，是移动通信***中将终端设备接入到无线网络的设备。AN设备可以为特定区域的授权用户提供服务，并可以根据用户的级别、业务的需求等，为用户使用的终端设备提供不同服务质量(quality of service，QoS)的传输隧道。AN设备作为无线接入网中的节点，还可以称为基站、无线接入网(radio access network，RAN)节点(或设备)、接入点(access point，AP)。3) The AN device is a device for connecting a terminal device to a wireless network in a mobile communication system. AN equipment can provide services for authorized users in a specific area, and can provide transmission tunnels with different quality of service (QoS) for terminal equipment used by users according to user levels and business requirements. As a node in the radio access network, the AN device may also be called a base station, a radio access network (radio access network, RAN) node (or device), and an access point (access point, AP).

目前，一些AN设备的举例为：新一代节点B(generation Node B，gNB)、传输接收点(transmission reception point，TRP)、演进型节点B(evolved Node B，eNB)、无线网络控制器(radio network controller，RNC)、节点B(Node B，NB)、基站控制器(base station controller，BSC)、基站收发台(base transceiver station，BTS)、家庭基站(例如，home evolved NodeB，或home Node B，HNB)，或基带单元(base band unit，BBU)等。At present, some examples of AN equipment are: new generation Node B (generation Node B, gNB), transmission reception point (transmission reception point, TRP), evolved Node B (evolved Node B, eNB), wireless network controller (radio network controller, RNC), node B (Node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved NodeB, or home Node B , HNB), or base band unit (base band unit, BBU), etc.

另外，在一种网络结构中，所述AN设备可以包括集中单元(centralized unit，CU)节点和分布单元(distributed unit，DU)节点。这种结构将AN设备的协议层拆分开，部分协议层的功能放在CU集中控制，剩下部分或全部协议层的功能分布在DU中，由CU集中控制DU。In addition, in a network structure, the AN device may include a centralized unit (centralized unit, CU) node and a distributed unit (distributed unit, DU) node. This structure separates the protocol layers of the AN device, and the functions of some protocol layers are placed in the CU for centralized control, and the remaining part or all of the functions of the protocol layers are distributed in the DU, and the CU centrally controls the DU.

4)、CN设备，是移动通信***中CN部分中包含的网元。CN设备能够将终端设备接入到不同的数据网络，以及进行计费、移动性管理、会话管理、用户面转发、签约数据维护、策略管理、安全认证等业务。4) The CN device is a network element included in the CN part of the mobile communication system. CN devices can connect terminal devices to different data networks, and perform services such as billing, mobility management, session management, user plane forwarding, subscription data maintenance, policy management, and security authentication.

当终端设备请求附着时，CN可以对终端设备进行安全认证；当终端设备请求业务时，CN可以为终端设备分配资源；当终端设备移动时，CN可以为终端设备更新资源；当终端设备处于空闲态时，CN可以为终端设备提供快速恢复的机制；当终端设备去附着时，CN可以为终端设备释放资源；当终端设备需要传输业务数据包时，CN可以为终端设备提供数据路由。When a terminal device requests attachment, CN can perform security authentication on the terminal device; when a terminal device requests services, CN can allocate resources for the terminal device; when the terminal device moves, CN can update resources for the terminal device; when the terminal device is idle In the state, CN can provide a quick recovery mechanism for the terminal device; when the terminal device is detached, the CN can release resources for the terminal device; when the terminal device needs to transmit service data packets, the CN can provide data routing for the terminal device.

在不同制式的移动通信***中，具有相同功能的CN设备的名称可以存在差异。然而，本申请实施例不限定具有每个功能的CN设备的具体名称。In mobile communication systems of different standards, names of CN devices with the same function may be different. However, the embodiment of the present application does not limit the specific name of the CN device with each function.

例如，在第4代(4 ^th generation，4G)移动通信***(即长期演进(long term evolution，LTE)中，负责接入控制、安全控制和信令协调等功能的网元为移动性管理实体(Mobile management entity，MME)；作为本地移动管理锚点的网元为服务网关(serving gateway，S-GW)；作为外部数据网络的切换的锚点、负责因特网协议(internet protocol，IP)地址分配的网元为分组数据网络(packet data network，PDN)网关(PDN gateway，P-GW)；存储用户相关数据和签约数据的网元为归属签约服务器(home subscriber server，HSS)；负责策略、计费功能的网元称为策略与计费控制规则功能(policy and charging rule function，PCRF)网元。 For example, in the 4th generation ( ^4th generation, 4G) mobile communication system (ie, long term evolution (LTE), the network element responsible for functions such as access control, security control, and signaling coordination is a mobility management entity (Mobile management entity, MME); the network element serving as the anchor point of local mobile management is the serving gateway (serving gateway, S-GW); as the anchor point of the handover of the external data network, it is responsible for Internet protocol (internet protocol, IP) address allocation The network element of the packet data network (PDN) gateway (PDN gateway, P-GW); the network element that stores user-related data and subscription data is the home subscription server (home subscriber server, HSS); responsible for policy, plan A network element with a charging function is called a policy and charging control rule function (policy and charging rule function, PCRF) network element.

又例如，在第5代(5 ^th generation，5G)移动通信***中，按照具体的逻辑功能划分，核心网可以分为控制面(control plane，CP)和用户面(user plane，UP)。其中，CN中负责控制面功能的网元可以统称为控制面网元，负责用户面功能的网元可以统称为用户面网元。具体的，在用户面，作为数据网络的接口、负责用户面数据转发等功能的网元为用户面功能(user plane function，UPF)网元。在控制面中，负责接入控制、移动性管理功能的网元称为接入和移动性管理功能(access and mobility management function，AMF)网元；负责会话管理、控制策略的执行的网元称为会话管理功能(session management function， SMF)网元；负责管理签约数据、用户接入授权等功能的网元称为统一数据管理(unified data management，UDM)网元；负责计费、策略控制功能的网元称为策略控制功能(Policy and charging function，PCF)网元；负责传输应用侧对网络侧的需求的应用功能(application function，AF)网元。 For another example, in a 5th generation (5 ^th generation, 5G) mobile communication system, according to specific logical function divisions, the core network can be divided into a control plane (control plane, CP) and a user plane (user plane, UP). Wherein, network elements responsible for control plane functions in the CN may be collectively referred to as control plane network elements, and network elements responsible for user plane functions may be collectively referred to as user plane network elements. Specifically, on the user plane, the network element serving as an interface of the data network and responsible for functions such as user plane data forwarding is a user plane function (user plane function, UPF) network element. In the control plane, network elements responsible for access control and mobility management functions are called access and mobility management function (access and mobility management function, AMF) network elements; network elements responsible for session management and control policy execution are called It is the session management function (session management function, SMF) network element; the network element responsible for managing subscription data, user access authorization and other functions is called unified data management (unified data management, UDM) network element; responsible for billing, policy control functions The network element is called policy control function (Policy and charging function, PCF) network element; the application function (application function, AF) network element responsible for transmitting the requirements of the application side to the network side.

5)、数据网络(data network，DN)，是位于移动通信***之外的网络。DN上可部署多种业务，可为终端设备提供数据和/或语音等服务。在这种情况下，客户端一般位于终端设备，服务器一般位于DN。所述DN可以是私有网络，例如，局域网；也可以是不受运营商控制的外部网络，例如，因特网(Internet)；还可以是运营商部署的专有网络，例如，提供IMS服务的网络(例如，IP多媒体业务(IP Multi-media Service，IMS)网络)。本申请对此不作限定。5) The data network (data network, DN) is a network located outside the mobile communication system. A variety of services can be deployed on the DN, which can provide data and/or voice services for terminal equipment. In this case, the client is generally located at the end device and the server is generally located at the DN. The DN may be a private network, such as a local area network; it may also be an external network not controlled by the operator, such as the Internet (Internet); it may also be a private network deployed by the operator, such as a network providing IMS services ( For example, IP Multi-media Service (IP Multi-media Service, IMS) network). This application is not limited to this.

6)、会话，为移动通信***中的会话管理网元针对终端设备建立的终端设备、接入网设备、用户面网元以及DN之间的连接，用于传输所述终端设备和所述DN之间的用户面数据，例如协议数据单元(protocol data unit，PDU)会话。6) Session, which is a connection between the terminal device, the access network device, the user plane network element and the DN established by the session management network element in the mobile communication system for the terminal device, and is used to transmit the terminal device and the DN User plane data between, such as protocol data unit (protocol data unit, PDU) session.

终端设备可以与移动通信***(例如，5G通信***)建立一个或者多个PDU会话，每个PDU会话中可以建立一个或者多个服务质量(quality of service，QoS)流(flow)。The terminal device can establish one or more PDU sessions with the mobile communication system (for example, a 5G communication system), and one or more quality of service (quality of service, QoS) flows (flow) can be established in each PDU session.

每个QoS流用于传输一个业务中同一QoS需求(可靠性或时延)的数据。QoS流可由QoS流标识(QoS flow identifier，QFI)来标识。Each QoS flow is used to transmit data of the same QoS requirement (reliability or delay) in a service. A QoS flow can be identified by a QoS flow identifier (QFI).

DN中的数据流与移动通信***中的QoS流存在对应关系。例如，当DN中的数据流中的业务数据包传输到的移动通信***时，移动通信***将该业务数据包映射到对应的QoS流传输。相应的，移动通信***中的QoS流中的业务数据包传输到DN时，将映射到对应的数据流中传输。There is a corresponding relationship between the data flow in the DN and the QoS flow in the mobile communication system. For example, when a service data packet in a data flow in the DN is transmitted to the mobile communication system, the mobile communication system maps the service data packet to a corresponding QoS flow for transmission. Correspondingly, when the service data packet in the QoS flow in the mobile communication system is transmitted to the DN, it will be mapped to the corresponding data flow for transmission.

7)、在本申请实施例中，“认证”可以被替换成以下任一项：“鉴权”、“鉴权认证”。7) In the embodiment of this application, "authentication" can be replaced with any of the following: "authentication", "authentication authentication".

8)、在本申请实施例中，“实现”业务可以包括“使用”业务，“执行”业务可以包括“传输”业务。8). In this embodiment of the application, "realizing" services may include "using" services, and "executing" services may include "transmitting" services.

9)、在本申请实施例中，如果认证结果指示所述终端设备能够实现业务或者所述终端设备能够在网络切片上实现业务，则所述业务可以被称为认证成功的业务；如果认证结果指示所述终端设备不能够实现业务或者所述终端设备不能够在网络切片上实现业务，则所述业务可以被称为认证失败的业务。9) In this embodiment of the application, if the authentication result indicates that the terminal device can implement the service or that the terminal device can implement the service on the network slice, the service can be called a service with successful authentication; if the authentication result Indicating that the terminal device cannot implement the service or that the terminal device cannot implement the service on the network slice, the service may be referred to as an authentication-failed service.

如果认证结果指示所述终端设备能够接入网络切片，则所述网络切片可以被称为认证成功的切片；如果认证结果指示所述终端设备不能够接入网络切片，则所述网络切片可以被称为认证失败的网络切片。If the authentication result indicates that the terminal device can access the network slice, the network slice may be called an authenticated slice; if the authentication result indicates that the terminal device cannot access the network slice, the network slice may be called A network slice that fails authentication.

“认证成功”可以被替换为“通过认证”或者“可以使用的”，“认证失败”可以被替换为“未通过认证”。"Authentication successful" can be replaced with "authenticated" or "usable", and "authentication failed" can be replaced with "authentication failed".

10)、在终端设备成功注册到移动通信***之后，“认证成功的业务”可以被称为“注册成功的业务”，“认证失败的业务”可以被称为“注册失败的业务”或者“未注册成功的业务”，“认证成功的网络切片”可以被称为“注册成功的网络切片”，“认证失败的网络切片”可以被称为“注册失败的网络切片”或者“未注册成功的网络切片”。10) After the terminal device is successfully registered to the mobile communication system, "services with successful authentication" may be called "services with successful registration", and "services with failed authentication" may be called "services with failed registration" or "services without registration". Successfully registered services", "Successfully authenticated network slices" can be called "Successfully registered network slices", "Network slices that fail to be authenticated" can be called "Network slices that failed to slice".

11)在本申请实施例中，业务指示信息为用于指示业务的信息，可以但不限于包括以下至少一项：业务的标识、业务的类型的指示信息、业务的提供商的指示信息。11) In this embodiment of the application, the service indication information is information used to indicate a service, which may include, but is not limited to, at least one of the following: service identification, service type indication information, and service provider indication information.

例如，所述业务的标识可以是业务标识列表(service ID list)，所述业务的类型的指示信息可以是业务类型标识列表(service category ID list)，所述业务的提供商的指示信息可以是业务提供商标识列表(service provider ID list)。For example, the identifier of the service may be a service ID list (service ID list), the indication information of the type of the service may be a service category ID list (service category ID list), and the indication information of the provider of the service may be Service provider ID list.

12)在本申请实施例中，网络切片指示信息为用于指示网络切片的信息，可以包括以下至少一项：请求的NSSAI(Requested NSSAI)，或单个网络切片选择辅助信息(single network slice selection assistance information，S-NSSAI)。12) In this embodiment of the application, the network slice indication information is information used to indicate network slices, and may include at least one of the following: requested NSSAI (Requested NSSAI), or single network slice selection assistance information (single network slice selection assistance information, S-NSSAI).

另外，当所述网络切片指示信息指示多个网络切片时，网络切片指示信息可以为网络切片ID列表，例如：S-NSSAI列表(S-NSSAI list)。In addition, when the network slice indication information indicates multiple network slices, the network slice indication information may be a network slice ID list, for example: S-NSSAI list (S-NSSAI list).

13)、在本申请实施例中，当一个消息中同时包含业务指示信息和网络切片指示信息时，所述业务指示信息指示的业务可以为：与所述网络切片指示信息指示的网络切片关联的业务、或与所述网络切片指示信息指示的网络切片对应的业务。13) In the embodiment of this application, when a message contains both service indication information and network slice indication information, the service indicated by the service indication information may be: the service associated with the network slice indicated by the network slice indication information A service, or a service corresponding to the network slice indicated by the network slice indication information.

本申请实施例中，对于名词的数目，除非特别说明，表示“单数名词或复数名词”，即"一个或多个”。“至少一个”是指一个或者多个，“多个”是指两个或两个以上。“和/或”描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。例如，A/B，表示：A或B。“以下至少一项(个)”或其类似表达，是指这些项(个)中的任意组合，包括单项(个)或复数项(个)的任意组合。In the embodiments of the present application, as for the number of nouns, unless otherwise specified, it means "singular noun or plural noun", that is, "one or more". "At least one" means one or more, and "plurality" means two or more. "And/or" describes the association relationship of associated objects, indicating that there may be three kinds of relationships, for example, A and/or B may indicate: A exists alone, A and B exist simultaneously, and B exists independently. The character "/" generally indicates that the contextual objects are an "or" relationship. For example, A/B means: A or B. "At least one (individual) of the following" or similar expressions refer to any combination of these items (individuals), including any combination of a single item (individuals) or a plurality of item (individuals).

另外，需要理解的是，在本申请的描述中，“第一”、“第二”等词汇，仅用于区分描述的目的，而不应理解为指示或暗示相对重要性，也不应理解为指示或暗示顺序。In addition, it should be understood that in the description of this application, words such as "first" and "second" are only used to distinguish the purpose of description, and should not be interpreted as indicating or implying relative importance, nor should they be understood as To indicate or imply an order.

下面将结合附图，对本申请实施例应用的通信***进行描述。The communication system applied in the embodiment of the present application will be described below with reference to the accompanying drawings.

图1示出了本申请实施例提供的通信方法适用的一种可能的通信***的架构。如图1所示，所述通信***包括：终端设备(图中以UE为例说明)、移动通信***和DN。其中，所述移动通信***可包括AN和CN两部分。FIG. 1 shows the architecture of a possible communication system to which the communication method provided by the embodiment of the present application is applicable. As shown in FIG. 1 , the communication system includes: a terminal device (UE is taken as an example in the figure), a mobile communication system and a DN. Wherein, the mobile communication system may include two parts, AN and CN.

UE和移动通信***是所述通信***的主要组成部分。逻辑上，UE和移动通信***可以分为控制面和用户面。控制面可以负责移动通信***的管理，用户面可以负责业务数据的传输。The UE and the mobile communication system are the main components of the communication system. Logically, the UE and the mobile communication system can be divided into a control plane and a user plane. The control plane can be responsible for the management of the mobile communication system, and the user plane can be responsible for the transmission of service data.

如图1所示，AN控制面和CN控制面之间存在接口NG2；AN用户面和CN用户面之间存在接口NG3；CN用户面和DN之间存在接口NG6。通信***中的各组成部分可以通过相应的接口进行交互。As shown in Figure 1, there is an interface NG2 between the AN control plane and the CN control plane; an interface NG3 exists between the AN user plane and the CN user plane; and an interface NG6 exists between the CN user plane and the DN. The various components in the communication system can interact through corresponding interfaces.

下面对所述通信***的主要组成部分进行说明。The main components of the communication system will be described below.

终端设备为用户侧能够接收和发射无线信号的实体，需要通过移动通信***访问DN。可选的，所述终端设备可以作为其他数据采集器或其他终端设备的中继设备，从而使这些设备能够通过移动通信***与DN进行业务通信。The terminal device is an entity capable of receiving and transmitting wireless signals on the user side, and needs to access the DN through the mobile communication system. Optionally, the terminal device may serve as a relay device for other data collectors or other terminal devices, so that these devices can communicate with the DN through the mobile communication system.

移动通信***可以接入至少一个DN，同一个DN也可以被至少一个移动通信***接入。A mobile communication system can access at least one DN, and the same DN can also be accessed by at least one mobile communication system.

部署在AN中的网络设备为AN设备，具体可以负责无线接入、空口侧的无线资源管理、服务质量(quality of service，QoS)管理、数据压缩和加密、用户面数据转发等功能。The network device deployed in the AN is an AN device, which can specifically be responsible for functions such as wireless access, wireless resource management on the air interface side, quality of service (quality of service, QoS) management, data compression and encryption, and user plane data forwarding.

部署在CN中的网元可以统称为CN设备。下面以5G移动通信***中的CN为例，参照图2，对CN中的主要网元的功能进行具体介绍。通过以上描述可知，5G移动通信***的CN中的网元可以分为控制面网元和用户面网元两类。Network elements deployed in the CN may be collectively referred to as CN equipment. Taking the CN in the 5G mobile communication system as an example, referring to FIG. 2 , the functions of the main network elements in the CN are specifically introduced. From the above description, it can be seen that the network elements in the CN of the 5G mobile communication system can be divided into two types: control plane network elements and user plane network elements.

用户面网元包括用户面功能(user plane function，UPF)，主要负责分组数据包转发、QoS控制、计费信息统计等，可以根据来自SMF的路由规则，执行业务数据包的转发。例如，UPF可以将上行传输方向的业务数据包发送给DN或其他UPF；也可以将下行传输方向的业务数据包转发到其他UPF或AN设备。The user plane network element includes the user plane function (UPF), which is mainly responsible for packet data packet forwarding, QoS control, charging information statistics, etc., and can perform service data packet forwarding according to the routing rules from the SMF. For example, the UPF can send service data packets in the uplink direction to the DN or other UPFs; it can also forward service data packets in the downlink direction to other UPFs or AN devices.

控制面网元主要负责业务流程交互、向用户面下发数据包转发策略、QoS控制策略等。CN的控制面采用服务化架构。控制面网元之间采用服务调用的方式进行交互。在服务化架构中，控制面网元可以向其他控制面网元开放服务，供其他控制面网元进行调用。The network elements of the control plane are mainly responsible for service process interaction, delivering data packet forwarding policies and QoS control policies to the user plane. CN's control plane adopts a service-oriented architecture. The network elements on the control plane interact with each other through service invocation. In the service-oriented architecture, the control plane network element can open services to other control plane network elements for calling by other control plane network elements.

控制面网元主要包括：AMF、SMF、PCF、AF、网络开放功能(network exposure function，NEF)、UDM、认证服务器功能(authentication server function，AUSF)、网络切片选择功能(network slice selection function，NSSF)、网络功能仓储功能(network function(网络功能，NF)repository function，NRF)。Control plane network elements mainly include: AMF, SMF, PCF, AF, network exposure function (network exposure function, NEF), UDM, authentication server function (authentication server function, AUSF), network slice selection function (network slice selection function, NSSF ), network function storage function (network function (network function, NF) repository function, NRF).

其中，AMF主要负责UE的接入管理和移动性管理，例如，负责UE的状态维护、UE的可达性管理、非移动性管理(mobility management，MM)非接入层(non-access-stratum，NAS)消息的转发、会话管理(session management，SM)N2消息的转发等。Among them, AMF is mainly responsible for UE access management and mobility management, for example, responsible for UE state maintenance, UE reachability management, non-mobility management (mobility management, MM) non-access-stratum (non-access-stratum) , NAS) message forwarding, session management (session management, SM) N2 message forwarding, etc.

SMF主要负责UE的会话管理，例如，管理PDU会话的建立和删除、维护PDU会话上下文、为UE的会话分配资源、释放资源等。SMF is mainly responsible for UE session management, for example, managing the establishment and deletion of PDU sessions, maintaining PDU session context, allocating resources for UE sessions, releasing resources, etc.

PCF主要负责测量控制，例如，生成和/或管理用户、会话、QoS流处理策略等。The PCF is mainly responsible for measurement control, for example, generating and/or managing user, session, QoS flow processing policies, etc.

AF主要负责提供各种业务服务，能够通过NEF与核心网进行交互，并和策略管理框架交互以进行策略管理等。AF is mainly responsible for providing various business services, and can interact with the core network through NEF, and interact with the policy management framework for policy management, etc.

NEF主要负责提供网络能力开放相关的框架、鉴权和接口，在移动通信***的网络功能和其他网络功能之间传递信息。NEF is mainly responsible for providing the framework, authentication and interface related to network capability opening, and transferring information between network functions and other network functions of the mobile communication system.

AUSF主要负责执行UE的安全认证。The AUSF is mainly responsible for performing UE security authentication.

NSSF主要负责为UE选择网络切片。NSSF is mainly responsible for selecting network slices for UE.

NRF主要负责为其他网元提供网络功能实体信息的存储功能和选择功能。The NRF is mainly responsible for providing storage and selection functions for network function entity information for other network elements.

UDM主要负责用户签约上下文管理。UDM is mainly responsible for user subscription context management.

图2中还展示了通信***中多个网元之间的接口，下面对相关接口进行说明。N1是UE和核心网控制面之间的接口，UE和AMF之间可以通过N1接口进行交互。N2是接入网设备和核心网控制面之间的接口，接入网设备与AMF之间可以通过N2接口进行交互。N3是接入网设备和UPF之间的通信接口，用于传输用户数据。N4是SMF和UPF之间的通信接口，用于对UPF进行策略配置等。N6是UPF与DN之间的通信端口。CN中的各个控制面网元之间的接口可以采用相应的服务化接口的方式实现，具体可以参见图2所示。Figure 2 also shows the interfaces between multiple network elements in the communication system, and the relevant interfaces will be described below. N1 is the interface between the UE and the core network control plane, and the UE and the AMF can interact through the N1 interface. N2 is an interface between the access network device and the core network control plane, and the access network device and the AMF can interact through the N2 interface. N3 is a communication interface between the access network equipment and the UPF, and is used to transmit user data. N4 is a communication interface between SMF and UPF, and is used for policy configuration of UPF, etc. N6 is the communication port between UPF and DN. The interfaces between the network elements of the control plane in the CN can be implemented in the form of corresponding service interfaces, as shown in FIG. 2 for details.

需要说明的是，图1和图2所示的通信***并不构成本申请实施例能够适用的通信***的限定。因此本申请实施例提供的通信方法还可以适用于各种制式的通信***，例如：长期演进(long term evolution，LTE)通信***、5G通信***、第六代(The 6th Generation，6G)通信***以及未来通信***。另外，还需要说明的是，本申请实施例也不对通信***中各网元的名称进行限定，例如，在不同制式的通信***中，各网元可以有其它名称；又例如，当多个网元融合在同一物理设备中时，该物理设备也可以有其他名称。It should be noted that the communication systems shown in FIG. 1 and FIG. 2 do not limit the applicable communication systems of the embodiments of the present application. Therefore, the communication method provided by the embodiment of the present application can also be applied to communication systems of various standards, for example: long term evolution (long term evolution, LTE) communication system, 5G communication system, sixth generation (The 6th Generation, 6G) communication system and future communication systems. In addition, it should be noted that the embodiment of the present application does not limit the names of the network elements in the communication system. For example, in communication systems of different standards, each network element may have other names; When elements are fused in the same physical device, the physical device can also have other names.

图3和图4分别示出了本申请实施例提供的通信方法适用的另一种可能的通信***的网络架构。如图3和图4所示，通信***中包含终端设备的拜访地公共陆地移动网络(visited public land mobile network，VPLMN)和归属地公共陆地移动网络(home public land mobile network，HPLMN)，所述VPLMN和所述HPLMN共存且互通。FIG. 3 and FIG. 4 respectively show the network architecture of another possible communication system to which the communication method provided by the embodiment of the present application is applicable. As shown in Figure 3 and Figure 4, the communication system includes the visited public land mobile network (visited public land mobile network, VPLMN) and the home public land mobile network (home public land mobile network, HPLMN) of the terminal equipment, said The VPLMN and the HPLMN coexist and communicate with each other.

所述VPLMN可以为拜访地PLMN，也可以为拜访地非公开网络(non-public network，NPN)；表示终端设备在当前所在区域所接入的网络。所述HPLMN可以是归属地PLMN，也可以是归属地NPN，表示用户归属的网络。The VPLMN may be a visited PLMN, or a visited non-public network (non-public network, NPN); indicating the network that the terminal device is currently connected to in the area. The HPLMN may be the home PLMN, or the home NPN, indicating the network to which the user belongs.

VPLMN可以通过拜访地安全边缘保护代理(visited security edge protection proxies，vSEPP)与HPLMN中的归属地安全边缘保护代理(home security edge protection proxies，hSEPP)实现互通。其中，所述vSEPP和hSEPP通过N32接口建立连接并实施保护策略，对跨网络信令中的每个控制面消息进行处理。The VPLMN can communicate with the home security edge protection proxies (hSEPP) in the HPLMN through the visited security edge protection proxies (vSEPP). Wherein, the vSEPP and hSEPP establish a connection through the N32 interface and implement protection policies to process each control plane message in the cross-network signaling.

在HPLMN中，网络切片选择的认证和授权功能(network slice-specific authentication and authorization function，NSSAAF)可以实现基于网络切片选择的认证和授权。In HPLMN, the network slice-specific authentication and authorization function (NSSAAF) can realize authentication and authorization based on network slice selection.

下面结合附图对本申请提供的方案进行说明。本申请实施例提供了一种通信方法，该方法可应用于图1-图4所示的通信***中。下面参阅图5所示的流程图，对该方法的流程进行具体说明。The solutions provided by the present application will be described below in conjunction with the accompanying drawings. An embodiment of the present application provides a communication method, which can be applied to the communication systems shown in FIGS. 1-4 . Referring to the flow chart shown in FIG. 5 , the flow of the method will be described in detail.

S501：移动通信***中的第一通信设备向第二通信设备发送第一请求。相应的，所述第二通信设备接收来自所述第一通信设备的所述第一请求。S501: A first communication device in a mobile communication system sends a first request to a second communication device. Correspondingly, the second communication device receives the first request from the first communication device.

在本申请实施例中，所述第一通信设备可以为以下任一项：AMF、SMF。所述第二通信设备可以包括以下至少一项：AUSF、NSSAAF、所述移动通信***内部的网络功能(network function，NF)(下面以UDM为例进行说明)、所述移动通信***之外的独立服务器(下面以认证授权计费(authentication authorization accounting，AAA)服务器为例进行说明)。其中，所述AAA服务器可以是认证授权计费服务器(authentication authorization accounting server，AAA-S)。In this embodiment of the present application, the first communication device may be any of the following: AMF, SMF. The second communication device may include at least one of the following: AUSF, NSSAAF, a network function (network function, NF) inside the mobile communication system (hereinafter, UDM is used as an example for description), and a network function outside the mobile communication system An independent server (the authentication authorization accounting (authentication authorization accounting, AAA) server is taken as an example for description below). Wherein, the AAA server may be an authentication authorization accounting server (authentication authorization accounting server, AAA-S).

其中，所述第一请求可以包括第一业务指示信息，所述第一业务指示信息可以指示终端设备请求的第一业务。所述第一请求可以请求对所述终端设备是否能够实现所述第一业务进行认证。Wherein, the first request may include first service indication information, and the first service indication information may indicate the first service requested by the terminal device. The first request may request to authenticate whether the terminal device can implement the first service.

可选的，所述第一请求中还可以包括：第一网络切片指示信息。其中，所述第一网络切片指示信息可以指示所述终端设备请求接入的第一网络切片。所述第一请求可以请求对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证。Optionally, the first request may further include: first network slice indication information. Wherein, the first network slice indication information may indicate the first network slice that the terminal device requests to access. The first request may request to authenticate whether the terminal device can implement the first service on the first network slice.

所述第一请求可以复用现有的消息(例如，认证请求)，也可以是用于请求第二通信设备对所述终端设备是否能够实现所述第一业务进行认证的专用消息。The first request may reuse an existing message (for example, an authentication request), or may be a dedicated message for requesting the second communication device to authenticate whether the terminal device can implement the first service.

可选的，在向所述第二通信设备发送所述第一请求之前，所述第一通信设备可以根据所述第一业务指示信息来确定所述第二通信设备。Optionally, before sending the first request to the second communication device, the first communication device may determine the second communication device according to the first service indication information.

例如，如果所述第一通信设备确定UDM可以对所述第一业务中的全部业务进行认证，则所述第一通信设备可以确定所述第二通信设备包括以下至少一项：UDM、AUSF。For example, if the first communication device determines that the UDM can authenticate all services in the first service, the first communication device may determine that the second communication device includes at least one of the following: UDM and AUSF.

又例如，如果所述第一通信设备确定AAA服务器可以对所述第一业务的全部业务进行认证，则所述第一通信设备可以确定所述第二通信设备包括以下至少一项：NSSAAF、AAA服务器。For another example, if the first communication device determines that the AAA server can authenticate all services of the first service, the first communication device may determine that the second communication device includes at least one of the following: NSSAAF, AAA server.

再例如，如果所述第一通信设备确定AAA服务器1可以对所述第一业务的一部分业务(例如，业务标识为业务IDa的业务a)进行认证，AAA服务器2可以对所述第一业务的另一部分业务(例如，业务标识为业务IDb的业务b)进行认证，则所述第一通信设备可以确定所述第二通信设备包括以下至少一项：NSSAAF、所述AAA服务器1、所述AAA服务器2。For another example, if the first communication device determines that the AAA server 1 can authenticate a part of the first service (for example, the service a with the service ID as service IDa), the AAA server 2 can authenticate the part of the first service. Another part of the business (for example, business b whose business identifier is business IDb) is authenticated, then the first communication device may determine that the second communication device includes at least one of the following: NSSAAF, the AAA server 1, the AAA Server 2.

再例如，如果所述第一通信设备确定UDM可以对所述第一业务的一部分业务(例如，业务标识为业务ID1的业务1)进行认证，所述AAA服务器可以对所述第一业务的另一部分业务(例如，业务标识为业务ID2的业务2)进行认证，则所述第一通信设备可以确定所述第二通信设备包括以下至少一项：UDM、AUSF、NSSAAF、AAA服务器。For another example, if the first communication device determines that the UDM can authenticate a part of the first service (for example, service 1 whose service identifier is service ID1), the AAA server can authenticate another part of the first service If a part of services (for example, service 2 whose service ID is service ID2) is authenticated, the first communication device may determine that the second communication device includes at least one of the following: UDM, AUSF, NSSAAF, and AAA server.

在一些实现方式中，所述第一通信设备可以在接收到来自第三通信设备的第二请求之后，向所述第二通信设备发送所述第一请求。在这种情况下，所述第二请求可以触发所述第一通信设备向所述第二通信设备发送所述第一请求。其中，所述第二请求可以包括所述第一业务指示信息。In some implementations, the first communication device may send the first request to the second communication device after receiving the second request from the third communication device. In this case, the second request may trigger the first communication device to send the first request to the second communication device. Wherein, the second request may include the first service indication information.

所述第二请求可以复用现有的消息(例如，注册请求或会话建立请求(为了便于区分，下面将其称为第一会话建立请求))，也可以是用于触发所述第一通信设备请求对所述终端设备是否能够实现第一业务进行认证的专用消息。The second request may reuse an existing message (for example, a registration request or a session establishment request (for ease of distinction, hereinafter referred to as the first session establishment request)), or may be used to trigger the first communication The device requests a dedicated message for authenticating whether the terminal device can implement the first service.

当所述第二请求为所述注册请求时，所述第一通信设备可以为AMF，所述第二通信设备可以为AUSF和/或NSSAAF，所述第三通信设备可以为所述终端设备或所述终端设备接入的AN设备。When the second request is the registration request, the first communication device may be AMF, the second communication device may be AUSF and/or NSSAAF, and the third communication device may be the terminal device or The AN device accessed by the terminal device.

可选的，当所述第二请求为所述注册请求时，所述第二请求还可以包括：所述第一网络切片指示信息。在这种情况下，所述第一请求可以包括：所述第一网络切片指示信息。所述第一通信设备可以为AMF，所述第二通信设备可以为NSSAAF，所述第三通信设备可以为所述终端设备或所述终端设备接入的AN设备。Optionally, when the second request is the registration request, the second request may further include: the first network slice indication information. In this case, the first request may include: the first network slice indication information. The first communication device may be an AMF, the second communication device may be an NSSAAF, and the third communication device may be the terminal device or an AN device accessed by the terminal device.

当所述第二请求为所述第一会话建立请求时，所述第一通信设备可以为SMF，所述第二通信设备可以为所述AAA服务器，所述第三通信设备可以为AMF。When the second request is the first session establishment request, the first communication device may be an SMF, the second communication device may be the AAA server, and the third communication device may be an AMF.

可选的，所述第二请求还可以但不限于包括以下至少一项：第一指示信息、第二指示信息。其中，所述第一指示信息可以指示需要对所述终端设备是否能够实现所述第一业务进行认证，所述第二指示信息可以指示执行认证处理的通信设备(即第二通信设备，例如，所述移动通信***外部的AAA服务器)。Optionally, the second request may also include, but is not limited to, at least one of the following: first indication information and second indication information. Wherein, the first indication information may indicate that authentication needs to be performed on whether the terminal device can implement the first service, and the second indication information may indicate the communication device performing the authentication process (that is, the second communication device, for example, AAA server outside the mobile communication system).

其中，所述第一指示信息可以是预定字段。例如，当所述预定字段取值为第一值时，指示需要对所述终端设备是否能够实现所述第一业务进行认证。所述第二指示信息可以但不限于包括以下至少一项：所述执行认证处理的通信设备的ID、所述执行认证处理的通信设备的地址信息。Wherein, the first indication information may be a predetermined field. For example, when the value of the predetermined field is the first value, it indicates that whether the terminal device can implement the first service needs to be authenticated. The second indication information may include, but is not limited to, at least one of the following: ID of the communication device performing authentication processing, and address information of the communication device performing authentication processing.

所述第一通信设备在接收到所述第二请求之后，可以根据所述第一指示信息，确定需要对所述终端设备是否能够实现所述第一业务进行认证，根据所述第二指示信息确定执行认证处理的通信设备(即第二通信设备)，然后，向所述执行认证处理的第二通信设备发送所述第一请求，请求所述第二通信设备对所述终端设备是否能够实现所述第一业务进行认证。After receiving the second request, the first communication device may determine, according to the first indication information, whether authentication needs to be performed on the terminal device to implement the first service, and according to the second indication information Determine the communication device that performs the authentication process (that is, the second communication device), and then send the first request to the second communication device that performs the authentication process, requesting whether the second communication device can realize the The first service is authenticated.

S502：所述第二通信设备对所述终端设备是否能够实现所述第一业务进行认证，得到认证结果(为了便于区分，下面将其称为第一认证结果)。S502: The second communication device authenticates whether the terminal device can implement the first service, and obtains an authentication result (for ease of distinction, it is referred to as a first authentication result hereinafter).

其中，所述第一认证结果可以但不限于包括以下至少一项：所述终端设备能够实现的业务的业务指示信息，所述终端设备不能够实现的业务的业务指示信息。Wherein, the first authentication result may include, but is not limited to, at least one of the following: service indication information of services that the terminal device can implement, and service indication information of services that the terminal equipment cannot implement.

可选的，当所述第一请求中包括所述第一业务指示信息和所述第一网络切片指示信息时，所述第二通信设备可以对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证，得到所述第一认证结果。Optionally, when the first request includes the first service indication information and the first network slice indication information, the second communication device may check whether the terminal device can The first service is implemented on the slice for authentication, and the first authentication result is obtained.

其中，所述第一认证结果可以但不限于包括以下至少一项：用于指示所述终端设备能够接入的网络切片的网络切片指示信息，以及用于指示在所述网络切片上所述终端设备能够实现的业务的业务指示信息；用于指示所述终端设备能够接入的网络切片的网络切片指示信息，以及用于指示在所述网络切片上所述终端设备不能够实现的业务的业务指示信息；用于指示所述终端设备不能接入的网络切片的网络切片指示信息，以及用于指示在所述网络切片上所述终端设备请求的业务的业务指示信息。Wherein, the first authentication result may include, but is not limited to, at least one of the following: network slice indication information used to indicate the network slice that the terminal device can access, and information used to indicate that the terminal device on the network slice Service indication information of services that can be realized by the device; network slice indication information used to indicate the network slices that the terminal device can access, and services used to indicate services that the terminal device cannot realize on the network slices Indication information: network slice indication information used to indicate a network slice that the terminal device cannot access, and service indication information used to indicate a service requested by the terminal device on the network slice.

下面对认证过程的实现方式进行说明。The implementation manner of the authentication process will be described below.

在一些实现方式中，所述第二通信设备可以对所述终端设备是否能实现所述第一业务进行认证，得到所述第一认证结果。In some implementation manners, the second communication device may authenticate whether the terminal device can implement the first service, and obtain the first authentication result.

可选的，所述第二通信设备可以为UDM或者所述移动通信***之外的AAA服务器。Optionally, the second communication device may be a UDM or an AAA server outside the mobile communication system.

在另一些实现方式中，所述第二通信设备可以根据从第四通信设备获取的第二认证结果，对所述终端设备是否能实现所述第一业务进行认证。下面对此进行说明。In some other implementation manners, the second communication device may authenticate whether the terminal device can implement the first service according to the second authentication result obtained from the fourth communication device. This is explained below.

方式一：method one:

a1：所述第二通信设备向所述第四通信设备发送第五请求。其中，所述第五请求可以包括：所述第一业务指示信息，所述第五请求可以请求所述第四通信设备对所述终端设备是否能够实现所述第一业务进行认证。a1: the second communication device sends a fifth request to the fourth communication device. Wherein, the fifth request may include: the first service indication information, and the fifth request may request the fourth communication device to authenticate whether the terminal device can implement the first service.

其中，所述第五请求可以复用现有的消息(例如，认证请求)，也可以是用于请求第四通信设备对所述终端设备是否能够实现所述第一业务进行认证的专用消息。Wherein, the fifth request may reuse an existing message (for example, an authentication request), or may be a dedicated message for requesting the fourth communication device to authenticate whether the terminal device can implement the first service.

a2：所述第二通信设备接收来自所述第四通信设备的第五响应；其中，所述第五响应可以包括所述第四通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的第二认证结果。a2: The second communication device receives a fifth response from the fourth communication device; wherein, the fifth response may include the fourth communication device's assessment of whether the terminal device can implement the first service The second authentication result obtained by authentication.

其中，所述第五响应可以复用现有的消息(例如，认证响应)，也可以是用于发送所述第二认证结果的专用消息。Wherein, the fifth response may reuse an existing message (for example, an authentication response), or may be a dedicated message for sending the second authentication result.

可选的，所述第二认证结果可以包括：所述第四通信设备对所述终端设备是否能够实现所述第一业务进行认证的第一认证向量(authentication vector，AV)。Optionally, the second authentication result may include: a first authentication vector (authentication vector, AV) for the fourth communication device to authenticate whether the terminal device can implement the first service.

a3：所述第二通信设备可以根据所述第二认证结果，对所述终端设备是否能够实现所述第一业务进行认证，得到所述第一认证结果。a3: The second communication device may, according to the second authentication result, authenticate whether the terminal device can implement the first service, and obtain the first authentication result.

可选的，所述第二通信设备可以根据所述第一AV执行后续认证流程，得到所述第一认证结果。后续认证流程可以参考TS33.501。Optionally, the second communication device may execute a subsequent authentication process according to the first AV to obtain the first authentication result. Follow-up certification process can refer to TS33.501.

方式二：Method 2:

b1：所述第二通信设备向所述第四通信设备发送第六请求；其中，所述第六请求可以包括：所述第一网络切片指示信息和所述第一业务指示信息，所述第六请求可以请求所述第四通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证。b1: The second communication device sends a sixth request to the fourth communication device; wherein, the sixth request may include: the first network slice indication information and the first service indication information, and the sixth request Sixth, the request may request the fourth communications device to authenticate whether the terminal device can implement the first service on the first network slice.

其中，所述第六请求可以复用现有的消息(例如，认证请求)，也可以是用于请求第四通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证的专用消息。Wherein, the sixth request may reuse an existing message (for example, an authentication request), or may be used to request the fourth communication device to check whether the terminal device can implement the first network slice on the first network slice. A dedicated message for authentication of a service.

b2：所述第二通信设备接收来自所述第四通信设备的第六响应；其中，所述第六响应可以包括所述第四通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证得到的第二认证结果。b2: The second communication device receives a sixth response from the fourth communication device; wherein, the sixth response may include the fourth communication device's response to whether the terminal device can operate in the first network slice The second authentication result obtained by performing authentication on the first service.

其中，所述第六响应可以复用现有的消息(例如，认证响应)，也可以是用于发送所述第二认证结果的专用消息。Wherein, the sixth response may reuse an existing message (for example, an authentication response), or may be a dedicated message for sending the second authentication result.

可选的，所述第二认证结果可以包括：所述第四通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证的第二AV。Optionally, the second authentication result may include: a second AV in which the fourth communication device authenticates whether the terminal device can implement the first service on the first network slice.

b3：所述第二通信设备可以根据所述第二认证结果，对所述终端设备是否能够实现所述第一业务进行认证，得到所述第一认证结果。b3: The second communication device may authenticate whether the terminal device can implement the first service according to the second authentication result, and obtain the first authentication result.

可选的，所述第二通信设备根据所述第二AV执行后续认证流程，得到所述第一认证结果。后续认证流程可以参考TS33.501。Optionally, the second communication device executes a subsequent authentication process according to the second AV to obtain the first authentication result. Follow-up certification process can refer to TS33.501.

可选的，在上述方式一和方式二中，所述第二通信设备可以为AUSF，所述第四通信设备可以为UDM；或者所述第二通信设备可以为NSSAAF，所述第四通信设备可以为所述移动通信***之外的AAA服务器。Optionally, in the above method 1 and method 2, the second communication device may be AUSF, and the fourth communication device may be UDM; or the second communication device may be NSSAAF, and the fourth communication device may be It may be an AAA server outside the mobile communication system.

在本申请实施例中，所述第二通信设备和/或所述第四通信设备可以根据本地存储的第一认证信息，对所述终端设备是否能在所述移动通信***中实现所述第一业务进行认证，所述第一认证信息可以包括业务的认证信息。其中，所述第一认证信息可以但不限于包括以下至少一项：所述终端设备能够实现的业务的业务指示信息，所述终端设备不能够实现的业务的业务指示信息。In this embodiment of the present application, the second communication device and/or the fourth communication device may check whether the terminal device can implement the first authentication information in the mobile communication system according to the locally stored first authentication information. A service is authenticated, and the first authentication information may include service authentication information. Wherein, the first authentication information may include, but is not limited to, at least one of the following: service indication information of services that the terminal device can implement, and service indication information of services that the terminal equipment cannot implement.

可选的，所述第一认证信息可以包含在所述终端设备的签约信息中。Optionally, the first authentication information may be included in the subscription information of the terminal device.

S503：所述第一通信设备接收来自所述第二通信设备的第一响应。相应的，所述第二通信设备向所述第一通信设备发送所述第一响应。S503: The first communication device receives a first response from the second communication device. Correspondingly, the second communication device sends the first response to the first communication device.

其中，所述第一响应包括S502中获得的所述第一认证结果。Wherein, the first response includes the first authentication result obtained in S502.

可选的，所述第一响应可以复用现有的消息(例如，认证响应)，也可以是用于发送所述第二认证结果的专用消息。Optionally, the first response may reuse an existing message (for example, an authentication response), or may be a dedicated message for sending the second authentication result.

S504：根据所述第一认证结果，所述第一通信设备确定是否为所述终端设备提供所述第一业务。S504: According to the first authentication result, the first communication device determines whether to provide the first service for the terminal device.

在本申请实施例中，当所述第二请求为所述注册请求或第一会话建立请求时，所述第一通信设备可以根据所述第一认证结果，接受或拒绝所述第二请求。In this embodiment of the present application, when the second request is the registration request or the first session establishment request, the first communication device may accept or reject the second request according to the first authentication result.

例如，如果根据所述第一认证结果确定所述终端设备请求的第一业务中的第二业务为所述终端设备能够实现的业务(即第一业务中的第二业务通过认证)，则所述第一通信设备可以接受所述第二请求；否则，所述第一通信设备可以拒绝所述第二请求。其中，所述第二业务可以为所述第一业务中的部分或全部业务。For example, if it is determined according to the first authentication result that the second service in the first service requested by the terminal device is a service that can be realized by the terminal device (that is, the second service in the first service passes the authentication), then the The first communication device may accept the second request; otherwise, the first communication device may reject the second request. Wherein, the second service may be part or all of the first service.

又例如，当所述第二请求为注册请求时，如果根据所述第一认证结果确定所述终端设备请求的第一网络切片中的第二网络切片为所述终端设备能够接入的网络切片(即第一网络切片中的第二网络切片通过认证)，所述终端设备请求的第一业务中的第四业务为所述终端设备能够在所述第二网络切片上实现的业务(即，第一业务中的第四业务通过认证)，则所述第一通信设备接受所述第二请求；否则，所述第一通信设备拒绝所述第二请求。其中，所述第二网络切片可以为所述第一网络切片中的部分或全部网络切片，所述第四业务可以为所述第一业务中的部分或全部业务。For another example, when the second request is a registration request, if it is determined according to the first authentication result that the second network slice in the first network slice requested by the terminal device is a network slice that the terminal device can access (that is, the second network slice in the first network slice passes the authentication), the fourth service in the first service requested by the terminal device is a service that the terminal device can implement on the second network slice (that is, If the fourth service in the first service passes the authentication), the first communication device accepts the second request; otherwise, the first communication device rejects the second request. Wherein, the second network slice may be part or all of the first network slice, and the fourth service may be part or all of the first service.

当所述第一通信设备接受所述第二请求时，所述第一通信设备可以为所述终端设备提供所述第一业务，从而可以执行后续注册流程或会话建立流程。When the first communication device accepts the second request, the first communication device may provide the terminal device with the first service, so that a subsequent registration process or session establishment process may be performed.

当所述第一通信设备拒绝所述第二请求时，所述第一通信设备不可以为所述终端设备提供所述第一业务。在这种情况下，所述第一通信设备可以向所述终端设备发送失败指示，所述失败指示中可以包含认证失败的业务的业务指示信息。When the first communication device rejects the second request, the first communication device cannot provide the first service for the terminal device. In this case, the first communication device may send a failure indication to the terminal device, and the failure indication may include service indication information of a service whose authentication fails.

可选的，所述第一通信设备还可以向所述终端设备发送拒绝原因。其中，所述拒绝原因可以但不限于包括以下至少一项：业务认证失败、业务注册失败、网络切片认证失败、网络切片注册失败。Optionally, the first communication device may also send a rejection reason to the terminal device. Wherein, the rejection reason may include, but is not limited to, at least one of the following: service authentication failure, service registration failure, network slice authentication failure, and network slice registration failure.

所述第一通信设备可以通过现有消息(例如，注册流程或会话建立流程中AMF向终端设备发送的消息)来发送所述失败指示和所述拒绝原因，也可以通过专用消息来发送所述失败指示和所述拒绝原因。The first communication device may send the failure indication and the rejection reason through an existing message (for example, the message sent by the AMF to the terminal device during the registration process or the session establishment process), or send the failure indication and the reason for the rejection through a dedicated message. An indication of failure and the stated reason for the rejection.

所述失败指示和所述拒绝原因可以包含在一个消息中，也可以包含在多个消息中。The failure indication and the rejection reason may be included in one message, or may be included in multiple messages.

当所述第一业务为多个业务，所述第二通信设备为多个通信设备(例如，所述第二通信设备为多个AUSF和/或NSSAAF)时，所述第一通信设备可以通过但不限于以下实现方式来接受或拒绝所述第二请求。When the first service is multiple services and the second communication device is multiple communication devices (for example, the second communication device is multiple AUSFs and/or NSSAAFs), the first communication device may pass But not limited to the following implementation manners to accept or reject the second request.

实现方式一：所述第一通信设备在接收到来自所述多个通信设备的全部认证结果之后，根据接收到的认证结果，接受或拒绝所述第二请求。Implementation manner 1: After receiving all authentication results from the plurality of communication devices, the first communication device accepts or rejects the second request according to the received authentication results.

实现方式二：所述第一通信设备根据在预定时间内接收到的来自所述多个通信设备的认证结果，接受或拒绝所述第二请求。Implementation manner 2: The first communication device accepts or rejects the second request according to the authentication results received from the plurality of communication devices within a predetermined time.

所述第一通信设备可以通过第一定时器确定所述预定时间。例如，当所述第一通信设备向所述多个通信设备发送所述第一请求时，可以开启所述第一定时器。所述第一通信设备在所述第一定时器开启到所述第一定时器结束期间，可以接收一个或多个认证结果。在所述第一定时器结束后，所述第一通信设备可以根据接收到的认证结果，接受或拒绝所述第二请求。The first communication device may determine the predetermined time through a first timer. For example, when the first communication device sends the first request to the plurality of communication devices, the first timer may be started. The first communication device may receive one or more authentication results during the period from the start of the first timer to the end of the first timer. After the first timer expires, the first communication device may accept or reject the second request according to the received authentication result.

在本申请实施例中，当所述第二请求为注册请求时，所述第一通信设备可以根据注册流程，确定是否接受来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求。下面对此进行具体说明。In this embodiment of the application, when the second request is a registration request, the first communication device may determine whether to accept the second request from the terminal device or the AN device accessed by the terminal device according to the registration procedure. Session establishment request. This will be described in detail below.

在一些实施方式中，如果所述第一业务包含至少一个业务，且所述第一认证结果指示所述终端设备能够实现所述第一业务中的第二业务(即第一业务中的第二业务通过认证)，则可以通过但不限于以下方式来确定是否接受来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求。In some embodiments, if the first service includes at least one service, and the first authentication result indicates that the terminal device can implement the second service in the first service (that is, the second service in the first service If the service passes the authentication), it may be determined whether to accept the second session establishment request from the terminal device or the AN device accessed by the terminal device in the following manner, but not limited to.

方式1：Method 1:

c1：在接收来自所述第二通信设备的第一响应之后，所述第一通信设备可以向UDM发送第一消息。相应的，所述UDM接收来自所述第一通信设备的所述第一消息。c1: After receiving the first response from the second communication device, the first communication device may send a first message to the UDM. Correspondingly, the UDM receives the first message from the first communication device.

在本方式1中，所述第一通信设备可以为AMF。In this manner 1, the first communication device may be an AMF.

其中，所述第一消息可以包括：用于指示所述第二业务的第二业务指示信息。Wherein, the first message may include: second service indication information for indicating the second service.

可选的，所述第一消息可以复用现有的消息(例如，注册流程(Nudm_UECM_registration)中的消息)，也可以是用于发送所述第二业务指示信息的专用消息。Optionally, the first message may reuse an existing message (for example, a message in the registration process (Nudm_UECM_registration)), or may be a dedicated message for sending the second service indication information.

其中，所述UDM在接收到所述第二业务指示信息之后，可以保存所述第二业务指示信息。例如，所述UDM可以在本地保存所述第二业务指示信息，也可以在统一数据存储(unified data repository，UDR)中保存所述第二业务指示信息。Wherein, the UDM may store the second service indication information after receiving the second service indication information. For example, the UDM may store the second service indication information locally, or store the second service indication information in a unified data repository (unified data repository, UDR).

c2：所述第一通信设备接收来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求。相应的，所述终端设备或所述终端设备接入的AN设备向所述第一通信设备发送所述第二会话建立请求。c2: The first communication device receives a second session establishment request from the terminal device or an AN device accessed by the terminal device. Correspondingly, the terminal device or the AN device accessed by the terminal device sends the second session establishment request to the first communication device.

其中，所述第二会话建立请求可以包括第三业务指示信息，所述第三业务指示信息可以指示所述终端设备请求执行的第三业务。Wherein, the second session establishment request may include third service indication information, and the third service indication information may indicate the third service requested to be executed by the terminal device.

c3：所述第一通信设备根据所述第二会话建立请求，向SMF发送第三请求。相应的，所述SMF接收来自所述第一通信设备的所述第三请求。c3: The first communication device sends a third request to the SMF according to the second session establishment request. Correspondingly, the SMF receives the third request from the first communication device.

其中，所述第三请求可以包括所述第三业务指示信息，所述第三请求可以请求所述SMF根据从所述UDM获取的所述第二业务指示信息和所述第三业务指示信息，接受或拒绝所述第二会话建立请求。Wherein, the third request may include the third service indication information, and the third request may request the SMF to, according to the second service indication information and the third service indication information obtained from the UDM, Accept or reject the second session establishment request.

其中，第三请求可以复用现有的消息(例如，建立SM上下文请求(Nsmf_PDU session_create SM context request))，也可以是专用消息。Wherein, the third request may reuse an existing message (for example, establish an SM context request (Nsmf_PDU session_create SM context request)), or may be a dedicated message.

可选的，所述SMF在接收到所述第三请求之后，可以复用现有的流程从所述UDM获取所述第二业务指示信息，也可以通过专用的流程从所述UDM获取所述第二业务指示信息。例如，所述SMF可以向所述UDM发起注册，通过获取签约信息流程，从UDM获取所述终端设备的会话管理签约信息和所述终端设备注册成功的业务的业务指示信息。其中，所述注册成功的业务的业务指示信息包含所述第二业务指示信息。Optionally, after receiving the third request, the SMF may reuse the existing process to obtain the second service indication information from the UDM, or obtain the second service indication information from the UDM through a dedicated process. Second service indication information. For example, the SMF may initiate registration to the UDM, and obtain the session management subscription information of the terminal device and service indication information of the service for which the terminal device has successfully registered from the UDM through the process of acquiring subscription information. Wherein, the service indication information of the successfully registered service includes the second service indication information.

当所述SMF确定获取的第二业务指示信息所指示的第二业务中包含第三业务指示信息所指示的第三业务中的至少一个(即所述SMF确定所述终端设备能够实现所述第三业务中的至少一个业务)时，所述SMF可以接受所述第二会话建立请求；当所述SMF确定获取的第二业务指示信息所指示的第二业务中不包含第三业务指示信息所指示的第三业务中的任一个业务(即所述SMF确定所述终端设备不能够实现第三业务中的任一个业务)时，所述SMF可以拒绝所述第二会话建立请求。When the SMF determines that the second service indicated by the acquired second service indication information includes at least one of the third services indicated by the third service indication information (that is, the SMF determines that the terminal device can implement the first At least one of the three services), the SMF may accept the second session establishment request; when the SMF determines that the second service indicated by the obtained second service indication information does not include the third service indication information When any one of the indicated third services (that is, the SMF determines that the terminal device cannot implement any one of the third services), the SMF may reject the second session establishment request.

当接受所述第二会话建立请求时，所述SMF可以执行后续会话建立流程。When accepting the second session establishment request, the SMF may execute a subsequent session establishment process.

在本方式1中，在注册流程中，所述UDM可以获取存储所述终端设备能够实现的第二业务的第二业务指示信息(即，认证成功的业务的业务指示信息)，在后续会话建立流程中，SMF可以根据从UDM获取的注册流程中的认证结果(包括：所述第二业务指示信息)，接受或拒绝会话建立请求，从而所述移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，进而可以提高数据传输的安全性。In this method 1, in the registration process, the UDM can obtain and store the second service indication information of the second service that can be realized by the terminal device (that is, the service indication information of the service that is successfully authenticated), and in the subsequent session establishment In the process, the SMF can accept or reject the session establishment request according to the authentication result obtained from the UDM in the registration process (including: the second service indication information), so that the mobile communication system can provide the terminal device with a successful authentication service , without providing authentication failure services, thereby improving the security of data transmission.

方式2：Method 2:

d1：在接收来自所述第二通信设备的第一响应之后，所述第一通信设备保存用于指示所述第二业务的第二业务指示信息。d1: After receiving the first response from the second communication device, the first communication device saves second service indication information used to indicate the second service.

可选的，所述第一通信设备可以在注册流程中保存第二网络切片指示信息和第四业务指示信息。Optionally, the first communication device may store the second network slice indication information and the fourth service indication information during the registration process.

d2：所述终端设备或所述终端设备接入的AN设备向所述第一通信设备发送所述第二会话建立请求。相应的，所述第一通信设备接收来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求。d2: The terminal device or the AN device accessed by the terminal device sends the second session establishment request to the first communication device. Correspondingly, the first communication device receives a second session establishment request from the terminal device or an AN device accessed by the terminal device.

d3：当所述第一通信设备确定保存的第二业务指示信息所指示的第二业务中包含第三业务指示信息所指示的第三业务中的至少一个(即所述第一通信设备确定所述终端设备能够实现所述第三业务中的至少一个业务或第三业务中的至少一个通过认证)时，所述第一通信设备可以接受所述第二会话建立请求；当所述第一通信设备确定保存的第二业务指示信息所指示的第二业务中不包含第三业务指示信息所指示的第三业务中的任一个业务(即所述第一通信设备确定所述终端设备不能够实现第三业务中的任一个业务或第三业务中不包含通过认证的业务)时，所述第一通信设备可以拒绝所述第二会话建立请求。d3: When the first communication device determines that the second service indicated by the stored second service indication information includes at least one of the third services indicated by the third service indication information (that is, the first communication device determines that the second service indicated by the third service indication information When the terminal device can implement at least one of the third services or at least one of the third services is authenticated), the first communication device may accept the second session establishment request; when the first communication The device determines that the second service indicated by the saved second service indication information does not include any of the third services indicated by the third service indication information (that is, the first communication device determines that the terminal device cannot implement When any one of the third services or the third service does not include the authenticated service), the first communication device may reject the second session establishment request.

当接受所述第二会话建立请求时，所述第一通信设备可以执行后续会话建立流程。When accepting the second session establishment request, the first communications device may perform a subsequent session establishment process.

在本方式2中，在注册流程中，所述第一通信设备可以保存所述终端设备能够实现所述第一业务中的第二业务的业务指示信息(即，认证成功的业务的业务指示信息)，在后续会话建立流程中，所述第一通信设备可以根据本地保存的注册流程中的认证结果(包括：所述第二业务指示信息)，接受或拒绝会话建立请求，从而所述移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，进而可以提高数据传输的安全性。In this method 2, in the registration process, the first communication device may save the service indication information that the terminal device can implement the second service in the first service (that is, the service indication information of the successful authentication service ), in the subsequent session establishment process, the first communication device may accept or reject the session establishment request according to the locally saved authentication result in the registration process (including: the second service indication information), so that the mobile communication device The system can provide the terminal equipment with services of successful authentication, but not of services of failed authentication, thereby improving the security of data transmission.

在另一些实施方式中，当所述第二请求为注册请求时，如果所述第一业务包含至少一个业务，所述第一网络切片包括至少一个网络切片，所述认证结果指示所述终端设备能够在所述第一网络切片中的第二网络切片上实现所述第一业务中的第四业务时，则可以通过但不限于以下方式来确定是否接受来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求。In other embodiments, when the second request is a registration request, if the first service includes at least one service, the first network slice includes at least one network slice, and the authentication result indicates that the terminal device When the fourth service in the first service can be implemented on the second network slice in the first network slice, it may be determined whether to accept the A second session establishment request of the accessed AN device.

方式一：method one:

e1：在接收来自所述第二通信设备的第一响应之后，所述第一通信设备可以向UDM发送第二消息。相应的，所述UDM接收来自所述第一通信设备的所述第二消息。e1: After receiving the first response from the second communication device, the first communication device may send a second message to the UDM. Correspondingly, the UDM receives the second message from the first communication device.

在本方式一中，所述第一通信设备可以为AMF。In the first manner, the first communication device may be an AMF.

其中，所述第二消息可以包括：第二网络切片指示信息和第四业务指示信息。其中，所述第二网络切片指示信息可以指示所述第二网络切片，所述第四业务指示信息可以指示所述终端设备能够在所述第二网络切片上实现的所述第四业务。Wherein, the second message may include: second network slice indication information and fourth service indication information. Wherein, the second network slice indication information may indicate the second network slice, and the fourth service indication information may indicate the fourth service that the terminal device can implement on the second network slice.

可选的，所述第二消息可以复用现有的消息(例如，注册流程(Nudm_UECM_registration)中的消息)，也可以是用于发送第二网络切片指示信息和第四业务指示信息的专用消息。Optionally, the second message may reuse an existing message (for example, a message in the registration process (Nudm_UECM_registration)), or may be a dedicated message for sending the second network slice indication information and the fourth service indication information .

当所述第二消息为注册流程中的消息时，所述第二网络切片可以为所述终端设备注册成功的业务，所述第四业务可以为所述终端设备在所述第二网络切片上注册成功的业务，也就是说，第二网络切片指示信息可以指示所述终端设备注册成功的业务，所述第四业务指示信息可以指示所述终端设备在所述第二网络切片上注册成功的业务。所述第二网络切片指示信息和所述第四业务指示信息可以被称为允许的allowed NSSAI信息。When the second message is a message in the registration process, the second network slice may be a service successfully registered by the terminal device, and the fourth service may be a service of the terminal device on the second network slice Services that are successfully registered, that is, the second network slice indication information may indicate services that the terminal device has successfully registered, and the fourth service indication information may indicate that the terminal device has successfully registered on the second network slice business. The second network slice indication information and the fourth service indication information may be called allowed NSSAI information.

其中，所述UDM在接收到所述第二网络切片指示信息和所述第四业务指示信息之后，可以保存所述第二网络切片指示信息和所述第四业务指示信息。例如，所述UDM可以在本地保存所述第二网络切片指示信息和所述第四业务指示信息，也可以在UDR中保存所述第二网络切片指示信息和所述第四业务指示信息。Wherein, after receiving the second network slice indication information and the fourth service indication information, the UDM may store the second network slice indication information and the fourth service indication information. For example, the UDM may store the second network slice indication information and the fourth service indication information locally, or store the second network slice indication information and the fourth service indication information in the UDR.

e2：所述第一通信设备可以接收来自所述终端设备或所述终端设备接入的AN设备的第三会话建立请求。相应的，所述终端设备或所述终端设备接入的AN设备向所述第一通信设备发送所述第三会话建立请求。e2: The first communication device may receive a third session establishment request from the terminal device or an AN device accessed by the terminal device. Correspondingly, the terminal device or the AN device accessed by the terminal device sends the third session establishment request to the first communication device.

其中，所述第三会话建立请求可以包括第三网络切片指示信息和第五业务指示信息，其中，所述第三网络切片指示信息可以指示第三网络切片，所述第五业务指示信息可以指示所述终端设备请求在所述第三网络切片上执行的第五业务。Wherein, the third session establishment request may include third network slice indication information and fifth service indication information, wherein the third network slice indication information may indicate a third network slice, and the fifth service indication information may indicate The terminal device requests a fifth service executed on the third network slice.

e3：根据所述第三会话建立请求，所述第一通信设备可以向SMF发送第四请求。相应的，所述SMF接收来自所述第一通信设备的所述第四请求。e3: According to the third session establishment request, the first communications device may send a fourth request to the SMF. Correspondingly, the SMF receives the fourth request from the first communication device.

其中，所述第四请求可以包括所述第三网络切片指示信息和所述第五业务指示信息，所述第四请求可以请求所述SMF根据从所述UDM获取的所述第二网络切片指示信息和第四业务指示信息、以及所述第三网络切片指示信息和所述第五业务指示信息，接受或拒绝所述第二会话建立请求。Wherein, the fourth request may include the third network slice indication information and the fifth service indication information, and the fourth request may request the SMF to indicate the second network slice according to the second network slice obtained from the UDM. information and the fourth service indication information, as well as the third network slice indication information and the fifth service indication information, accept or reject the second session establishment request.

其中，第四请求可以复用现有的消息(例如，建立SM上下文请求(Nsmf_PDU session_create SM context request))，也可以是专用消息。Wherein, the fourth request may reuse an existing message (for example, establish an SM context request (Nsmf_PDU session_create SM context request)), or may be a dedicated message.

可选的，所述SMF在接收到第四请求之后，可以复用现有的流程从所述UDM获取所述第二网络切片指示信息和所述第四业务指示信息，也可以通过专用的流程从所述UDM获取所述第二网络切片指示信息和所述第四业务指示信息。例如，所述SMF可以向所述UDM发起注册，通过获取签约信息流程，从UDM获取所述终端设备的会话管理签约信息、所述终端设备注册成功的业务的指示信息(例如，包括：第二网络切片指示信息和所述第四业务指示信息)。Optionally, after receiving the fourth request, the SMF may reuse the existing process to obtain the second network slice indication information and the fourth service indication information from the UDM, or may use a dedicated process Obtain the second network slice indication information and the fourth service indication information from the UDM. For example, the SMF may initiate registration to the UDM, and obtain the session management subscription information of the terminal device and indication information of services for which the terminal device has successfully registered (for example, including: the second network slicing indication information and the fourth service indication information).

当所述SMF确定获取的第二网络切片指示信息所指示的所述第二网络切片包含所述第三网络切片指示信息所指示的所述第三网络切片中的至少一个网络切片(即所述第三网络切片中的至少一个网络切片通过认证)，且所述SMF确定获取的第四业务指示信息所指示的所述第四业务中包含所述第五业务指示信息所指示的所述第五业务中的至少一个业务(即所述第五业务中的至少一个业务通过认证)时，也就是说，当所述SMF确定所述终端设备能够在所述第三网络切片中的至少一个网络切片上，实现所述第五业务中的至少一个业务时，所述SMF可以接受所述第三会话建立请求；当所述SMF确定获取的第二网络切片指示信息所指示的所述第二网络切片不包含所述第三网络切片指示信息所指示的第三网络切片中的任一个网络切片(即所述第三网络切片中不包含通过认证的网络切片)，和/或所述SMF确定获取的第四业务指示信息所指示的所述第四业务不包含所述第五业务指示信息所指示的所述第五业务中的任一个业务(即所述第五业务中不包含通过认证的业务)时，也就是说，当所述SMF确定所述终端设备不能在所述第三网络切片中的任一个网络切片上实现所述第五业务中的任一个业务时，所述SMF可以拒绝所述第三会话建立请求。When the SMF determines that the second network slice indicated by the obtained second network slice indication information includes at least one network slice in the third network slice indicated by the third network slice indication information (that is, the At least one network slice in the third network slice has passed the authentication), and the SMF determines that the fourth service indicated by the acquired fourth service indication information includes the fifth service indicated by the fifth service indication information When at least one service in the service (that is, at least one service in the fifth service passes the authentication), that is, when the SMF determines that the terminal device can operate in at least one network slice in the third network slice When implementing at least one of the fifth services, the SMF may accept the third session establishment request; when the SMF determines that the second network slice indicated by the acquired second network slice indication information Does not include any network slice in the third network slice indicated by the third network slice indication information (that is, the third network slice does not include a certified network slice), and/or the SMF determines that the obtained The fourth service indicated by the fourth service indication information does not include any of the fifth services indicated by the fifth service indication information (that is, the fifth service does not include certified services) , that is to say, when the SMF determines that the terminal device cannot implement any of the fifth services on any of the third network slices, the SMF may reject the A third session establishment request.

当接受所述第三会话建立请求时，所述SMF可以执行后续会话建立流程。When accepting the third session establishment request, the SMF may execute a subsequent session establishment process.

在本方式一中，在注册流程中，所述UDM可以获取到第四业务指示信息(即，认证成功的业务的业务指示信息)和第二网络切片指示信息(即，认证成功的网络切片的网络切片指示信息)，在后续会话建立流程中，SMF可以根据从UDM获取的注册流程中的认证结果(包括：所述第二网络切片指示信息和所述第四业务指示信息)，接受或拒绝会话建立请求，从而所述移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，进而可以提高数据传输的安全性。In the first method, in the registration process, the UDM can obtain the fourth service indication information (that is, the service indication information of the successfully authenticated service) and the second network slice indication information (that is, the service indication information of the successfully authenticated network slice). Network slice indication information), in the subsequent session establishment process, SMF can accept or reject according to the authentication result in the registration process obtained from UDM (including: the second network slice indication information and the fourth service indication information) The session establishment request, so that the mobile communication system can provide the terminal equipment with a service of successful authentication, but not a service of failed authentication, thereby improving the security of data transmission.

方式二：Method 2:

f1：在接收来自所述第二通信设备的第一响应之后，所述第一通信设备可以保存第二网络切片指示信息和第四业务指示信息。f1: After receiving the first response from the second communication device, the first communication device may save the second network slice indication information and the fourth service indication information.

其中，所述第二网络切片指示信息可以指示所述第二网络切片，所述第四业务指示信息可以指示所述终端设备能够在所述第二网络切片上实现的所述第四业务。Wherein, the second network slice indication information may indicate the second network slice, and the fourth service indication information may indicate the fourth service that the terminal device can implement on the second network slice.

f2：所述第一通信设备可以接收来自所述终端设备或所述终端设备接入的AN设备的第三会话建立请求。相应的，所述终端设备或所述终端设备接入的AN设备向所述第一通信设备发送所述第三会话建立请求。f2: The first communication device may receive a third session establishment request from the terminal device or an AN device accessed by the terminal device. Correspondingly, the terminal device or the AN device accessed by the terminal device sends the third session establishment request to the first communication device.

f3：当所述第一通信设备确定保存的第二网络切片指示信息所指示的所述第二网络切片包含所述第三网络切片指示信息所指示的第三网络切片中的至少一个网络切片(即所述第三网络切片中的至少一个网络切片通过认证)，且所述第一通信设备确定保存的第四业务指示信息所指示的所述第四业务包含所述第五业务指示信息所指示的所述第五业务中的至少一个业务(即所述第五业务中的至少一个业务通过认证)时，也就是说，当所述第一通信设备确定所述终端设备能够在所述第三网络切片中的至少一个网络切片上，实现所述第五业务中的至少一个业务时，所述第一通信设备可以接受所述第三会话建立请求；当所述第一通信设备确定保存的第二网络切片指示信息所指示的所述第二网络切片不包含所述第三网络切片指示信息所指示的第三网络切片中的任一个网络切片(即所述第三网络切片中不包含通过认证的网络切片)，和/或所述第一通信设备确定保存的第四业务指示信息所指示的所述第四业务不包含所述第五业务指示信息所指示的所述第五业务中的任一个业务(即所述第五业务中不包含通过认证的业务)时，也就是说，当所述第一通信设备确定所述终端设备不能在所述第三网络切片中的任一个网络切片上实现所述第五业务中的任一个业务时，所述第一通信设备可以拒绝所述第三会话建立请求。f3: When the first communication device determines that the second network slice indicated by the stored second network slice indication information includes at least one network slice in the third network slice indicated by the third network slice indication information ( That is, at least one network slice in the third network slice passes the authentication), and the first communication device determines that the fourth service indicated by the saved fourth service indication information includes the fifth service indication information when at least one of the fifth services (that is, at least one of the fifth services passes the authentication), that is, when the first communication device determines that the terminal device can operate in the third When implementing at least one of the fifth services on at least one of the network slices in the network slice, the first communication device may accept the third session establishment request; when the first communication device determines that the saved first The second network slice indicated by the second network slice indication information does not include any network slice in the third network slice indicated by the third network slice indication information (that is, the third network slice does not include any network slice that has passed the authentication. network slice), and/or the first communication device determines that the fourth service indicated by the saved fourth service indication information does not include any of the fifth service indicated by the fifth service indication information one service (that is, the fifth service does not include the authenticated service), that is, when the first communication device determines that the terminal device cannot be on any network slice in the third network slice When implementing any one of the fifth services, the first communications device may reject the third session establishment request.

当接受所述第三会话建立请求时，所述第一通信设备可以执行后续会话建立流程。When accepting the third session establishment request, the first communications device may perform a subsequent session establishment process.

在本方式二中，在注册流程中，所述第一通信设备可以保存第四业务指示信息(即，认证成功的业务的业务指示信息)和第二网络切片指示信息(即，认证成功的网络切片的网络切片指示信息)，在后续会话建立流程中，所述第一通信设备可以根据本地保存的注册流程中的认证结果(包括：第二网络切片指示信息和第四业务指示信息)，接受或拒绝会话建立请求，从而所述移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，进而可以提高数据传输的安全性。In the second method, in the registration process, the first communication device may save the fourth service indication information (that is, the service indication information of the successfully authenticated service) and the second network slice indication information (that is, the Sliced network slice indication information), in the subsequent session establishment process, the first communication device may accept the Or reject the session establishment request, so that the mobile communication system can provide the terminal device with a service of successful authentication, but not a service of failed authentication, thereby improving the security of data transmission.

可选的，在接收来自所述第二通信设备的第一响应之后，所述第一通信设备可以根据所述第一认证结果，向所述终端设备发送第三消息。Optionally, after receiving the first response from the second communication device, the first communication device may send a third message to the terminal device according to the first authentication result.

其中，所述第三消息可以但不限于包含以下至少一项：Wherein, the third message may, but is not limited to, include at least one of the following:

在本申请实施例中，当所述第一通信设备为AMF时，所述第一通信设备还可以在接收来自所述第二通信设备的第一响应之后，向所述终端设备发送第四消息。所述终端设备在接收到所述第四消息之后，可以根据本地存储的第二认证信息，对所述终端设备是否能在所述移动通信***中实现所述第一业务进行认证，所述第二认证信息可以包括业务的认证信息。所述第二认证信息可以但不限于包括以下至少一项：所述终端设备能够实现的业务的指示信息，所述终端设备不能够实现的业务的指示信息。In this embodiment of the present application, when the first communication device is an AMF, the first communication device may also send a fourth message to the terminal device after receiving the first response from the second communication device . After receiving the fourth message, the terminal device may, according to locally stored second authentication information, authenticate whether the terminal device can implement the first service in the mobile communication system, the second The second authentication information may include the authentication information of the service. The second authentication information may include, but is not limited to, at least one of the following: indication information of services that the terminal device can implement, and indication information of services that the terminal equipment cannot implement.

可选的，所述第二认证信息可以包含在所述终端设备的签约信息中。例如，所述终端设备的签约信息中预配置有所述第二认证信息。又例如，所述终端设备通过配置更新流程获取包含所述第二认证信息的所述终端设备的签约信息。Optionally, the second authentication information may be included in the subscription information of the terminal device. For example, the second authentication information is preconfigured in the subscription information of the terminal device. For another example, the terminal device obtains the subscription information of the terminal device including the second authentication information through a configuration update process.

通过图5所示的方法，移动通信***中的第一通信设备可以第二通信设备发送第一请求，请求对所述终端设备是否能够实现第一业务进行认证；在接收到来自所述第二通信设备的认证结果之后，所述第一通信设备可以根据所述认证结果，确定是否为所述终端设备提供所述第一业务。通过该方案，所述第一通信设备可以获得对终端设备是否能够实现请求的业务进行认证的认证结果，根据所述认证结果，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为所述终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through the method shown in Figure 5, the first communication device in the mobile communication system can send a first request to the second communication device, requesting to authenticate whether the terminal device can realize the first service; After the authentication result of the communication device, the first communication device may determine whether to provide the first service for the terminal device according to the authentication result. Through this solution, the first communication device can obtain an authentication result for authenticating whether the terminal device can realize the requested service, and according to the authentication result, the mobile communication system where the first communication device is located can be the terminal device The service of successful authentication is provided, and the service of failed authentication is not provided to the terminal device, so that the security of data transmission can be improved.

图6为本申请提供的一种移动通信***应用图5所示的通信方法的一种实例的示意图。下面结合附图，说明图5所示的方法在图6所示的应用场景中的应用。FIG. 6 is a schematic diagram of an example of applying the communication method shown in FIG. 5 in a mobile communication system provided by the present application. The application of the method shown in FIG. 5 in the application scenario shown in FIG. 6 will be described below with reference to the accompanying drawings.

如图6所示，所述移动通信***可以为独立部署NPN(standalone NPN，SNPN)，所述移动通信***可以通过认证授权计费代理(authentication authorization accounting proxy，AAA-P)和外部AAA-S交互，所述AAA-S可以包括：业务提供商(service provider，SP) 1的AAA-S1、SP2的AAA-S2、SP3的AAA-S3。As shown in Figure 6, the mobile communication system can be independently deployed NPN (standalone NPN, SNPN), and the mobile communication system can pass authentication authorization accounting proxy (authentication authorization accounting proxy, AAA-P) and external AAA-S Interaction, the AAA-S may include: AAA-S1 of service provider (service provider, SP) 1, AAA-S2 of SP2, and AAA-S3 of SP3.

在该实例中，多个SP的AAA-S中可以保存所述终端设备的签约信息，并根据保存的签约信息对所述终端设备是否能够实现业务进行认证。具体的，所述移动通信***可以接收来自终端设备的注册请求或会话建立请求，所述注册请求或所述会话建立请求可以包含一个或多个业务的业务指示信息。所述移动通信***可以根据所述业务指示信息，确定对所述终端设备是否能实现所述一个或多个业务进行认证的通信设备。例如，所述移动通信***可以根据所述业务指示信息和所述终端设备的身份信息，确定AAA-S1可以对所述终端设备是否能实现业务1进行认证，确定AAA-S2可以对所述终端设备是否能实现业务2进行认证，确定AAA-S3可以对所述终端设备是否能实现业务3进行认证。然后，所述移动通信***可以请求AAA-S1对所述终端设备是否能够实现业务1进行认证，请求AAA-S2对所述终端设备是否能够实现业务2进行认证，请求AAA-S3对所述终端设备是否能够实现业务3进行认证。AAA-S1、AAA-S2和AAA-S3可以根据本地保存的终端设备的签约信息，对所述终端设备是否能够实现业务进行认证。In this example, the subscription information of the terminal device may be saved in the AAA-S of multiple SPs, and whether the terminal device can implement services is authenticated according to the saved subscription information. Specifically, the mobile communication system may receive a registration request or a session establishment request from a terminal device, and the registration request or the session establishment request may include service indication information of one or more services. The mobile communication system may determine, according to the service indication information, a communication device that authenticates whether the terminal device can implement the one or more services. For example, the mobile communication system may determine, according to the service indication information and the identity information of the terminal device, that AAA-S1 can authenticate whether the terminal device can implement service 1, and determine that AAA-S2 can authenticate the terminal device. Whether the device can implement service 2 is authenticated, and it is determined whether the AAA-S3 can authenticate whether the terminal device can implement service 3. Then, the mobile communication system may request AAA-S1 to authenticate whether the terminal equipment can implement service 1, request AAA-S2 to authenticate whether the terminal equipment can implement service 2, and request AAA-S3 to authenticate the terminal equipment. Whether the device can implement service 3 for authentication. AAA-S1, AAA-S2, and AAA-S3 may authenticate whether the terminal device can implement services according to the subscription information of the terminal device stored locally.

通过该实例，在注册流程或会话建立流程中，所述移动通信***可以请求外部AAA-S对所述终端设备是否能够实现业务进行认证，并获得认证结果。这样，所述移动通信***可以根据认证结果，为所述终端设备提供认证成功的业务，不为所述终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through this example, in the registration process or the session establishment process, the mobile communication system can request the external AAA-S to authenticate whether the terminal device can implement services, and obtain the authentication result. In this way, the mobile communication system can provide services for the terminal equipment with successful authentication according to the authentication result, and not provide services for the terminal equipment with failed authentication, thereby improving the security of data transmission.

图7为本申请提供的一种移动通信***应用图5所示的通信方法的另一种实例的示意图。下面结合附图，说明图5所示的方法在图7所示的应用场景中的应用。FIG. 7 is a schematic diagram of another example of applying the communication method shown in FIG. 5 in a mobile communication system provided by the present application. The application of the method shown in FIG. 5 in the application scenario shown in FIG. 7 will be described below with reference to the accompanying drawings.

如图7所示，所述移动通信***可以为NPN，所述NPN可以为运营商所有，多个SP可以通过所述NPN为终端设备提供业务。图中的AAA-S可以为DN中的AAA服务器，即DN-AAA。在该实例中，UDM和多个SP的AAA-S可以保存所述终端设备的签约信息。As shown in FIG. 7, the mobile communication system may be an NPN, and the NPN may be owned by an operator, and multiple SPs may provide services for terminal equipment through the NPN. The AAA-S in the figure may be the AAA server in the DN, that is, DN-AAA. In this example, the UDM and the AAA-S of multiple SPs can save the subscription information of the terminal device.

在一些实现方式中，所述移动通信***可以接收来自终端设备的注册请求或会话建立请求，所述注册请求或所述会话建立请求可以包含一个或多个业务的业务指示信息。所述移动通信***可以根据所述业务指示信息，确定对所述终端设备是否能实现所述一个或多个业务进行认证的通信设备。例如，所述移动通信***可以根据所述一个或多个业务的业务指示信息和所述终端设备的身份信息，确定AAA-S可以对所述终端设备是否能实现业务1进行认证，确定UDM可以对所述终端设备是否能实现业务2进行认证。然后，所述移动通信***可以请求AAA-S对所述终端设备是否能够实现业务1进行认证，请求UDM对所述终端设备是否能够实现业务2进行认证。AAA-S和UDM可以根据本地保存的终端设备的签约信息，对所述终端设备是否能够实现业务进行认证。In some implementation manners, the mobile communication system may receive a registration request or a session establishment request from a terminal device, and the registration request or the session establishment request may include service indication information of one or more services. The mobile communication system may determine, according to the service indication information, a communication device that authenticates whether the terminal device can implement the one or more services. For example, the mobile communication system may determine whether the AAA-S can authenticate whether the terminal device can implement service 1 according to the service indication information of the one or more services and the identity information of the terminal device, and determine whether the UDM can Authenticate whether the terminal device can implement service 2. Then, the mobile communication system may request the AAA-S to authenticate whether the terminal equipment can implement service 1, and request the UDM to authenticate whether the terminal equipment can implement service 2. The AAA-S and UDM can authenticate whether the terminal device can implement services according to the subscription information of the terminal device stored locally.

在另一些实现方式中，所述移动通信***可以接收来自终端设备的会话建立请求，所述注册请求或所述会话建立请求可以包含一个或多个业务的业务指示信息。所述移动通信***可以请求AAA-S对所述终端设备是否能够实现一个或多个业务进行认证。In some other implementation manners, the mobile communication system may receive a session establishment request from a terminal device, and the registration request or the session establishment request may include service indication information of one or more services. The mobile communication system may request the AAA-S to authenticate whether the terminal device can implement one or more services.

通过该实例，在注册流程或会话建立流程中，所述移动通信***可以获得对终端设备是否能够实现请求的业务进行认证的认证结果，并根据所述认证结果，为所述终端设备提供认证成功的业务，不为所述终端设备提供认证失败的业务，从而可以提高数据传输的安全性。Through this example, in the registration process or session establishment process, the mobile communication system can obtain the authentication result of authenticating whether the terminal device can realize the requested service, and provide the terminal device with authentication success according to the authentication result. services, and do not provide services for authentication failures to the terminal equipment, thereby improving the security of data transmission.

本申请实施例提供了一种通信方法。该方法可以适用于图1-图4所示的通信***中，参阅图8所示。该方法可以实现在终端设备的注册流程中对所述终端设备是否可以实现业务进行认证，这样，移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，从而可以提高业务传输的安全性。图中，第一AMF为所述终端设备即将接入的AMF)，第二AMF为所述终端设备之前接入的AMF)。在本实例中，第一AMF相当于图5所示方法中的第一通信设备，AUSF和/或NSSAAF相当于图5所示方法中的第二通信设备，UE和/或AN设备相当于图5所示方法中的第三通信设备，UDM和/或AAA-S相当于图5所示方法中的第四通信设备。为描述方便，下面以终端设备为UE为例进行说明。The embodiment of this application provides a communication method. The method can be applied to the communication systems shown in FIGS. 1-4 , as shown in FIG. 8 . The method can realize whether the terminal device can realize services during the registration process of the terminal device. In this way, the mobile communication system can provide the terminal device with the service of successful authentication, but not the service of failed authentication, thereby improving the service life. Transmission Security. In the figure, the first AMF is the AMF to be accessed by the terminal device, and the second AMF is the AMF previously accessed by the terminal device. In this example, the first AMF is equivalent to the first communication device in the method shown in Figure 5, the AUSF and/or NSSAAF is equivalent to the second communication device in the method shown in Figure 5, and the UE and/or AN device is equivalent to the second communication device in the method shown in Figure 5. The third communication device in the method shown in FIG. 5 , UDM and/or AAA-S is equivalent to the fourth communication device in the method shown in FIG. 5 . For the convenience of description, the following takes the UE as an example for illustration.

S801：UE向AN设备发送注册请求，以便发起注册流程。相应的，所述AN设备接收来自所述UE的注册请求。S801: The UE sends a registration request to the AN device, so as to initiate a registration process. Correspondingly, the AN device receives the registration request from the UE.

可选的，所述注册请求可以包含指示第一业务的业务指示信息。所述第一业务可以为UE请求的业务。Optionally, the registration request may include service indication information indicating the first service. The first service may be a service requested by the UE.

在一些实现方式中，所述注册请求中还可以包括：所述UE的身份信息。所述身份信息可以包括但不限于以下至少一项：签约永久标识符(subscription permanent identifier，SUPI)、签约隐藏标识符(subscription concealed identifier，SUCI)。In some implementation manners, the registration request may further include: identity information of the UE. The identity information may include but not limited to at least one of the following: subscription permanent identifier (subscription permanent identifier, SUPI), subscription concealed identifier (subscription concealed identifier, SUCI).

S802：AN设备根据所述注册请求中的所述业务指示信息，选择第一AMF。S802: The AN device selects the first AMF according to the service indication information in the registration request.

S803：AN设备向所述第一AMF发送所述注册请求。相应的，所述第一AMF接收来自所述AN设备的所述注册请求。S803: The AN device sends the registration request to the first AMF. Correspondingly, the first AMF receives the registration request from the AN device.

其中，所述AN设备可以通过N2消息将所述注册请求发送给所述第一AMF。所述N2消息可以复用现有的消息，例如，上行NAS传输(Uplink NAS Transport)或初始UE消息(Initial UE Message)，也可以是其他专用于发送所述注册请求的消息，本申请对此不作限定。Wherein, the AN device may send the registration request to the first AMF through an N2 message. The N2 message can reuse existing messages, for example, uplink NAS transport (Uplink NAS Transport) or initial UE message (Initial UE Message), and can also be other messages dedicated to sending the registration request. Not limited.

S804：所述第一AMF发起UE上下文转移流程和身份认证流程。S804: The first AMF initiates a UE context transfer process and an identity authentication process.

其中，所述UE上下文转移流程和身份认证流程的具体内容可以参考TS23.502第4.2.2.2章的步骤4-7。Wherein, the specific content of the UE context transfer process and the identity authentication process can refer to steps 4-7 in Chapter 4.2.2.2 of TS23.502.

S805：所述第一AMF根据所述注册请求中的UE身份信息以及所述业务指示信息，为所述UE选择合适的AUSF/NSSAAF。S805: The first AMF selects an appropriate AUSF/NSSAAF for the UE according to the UE identity information in the registration request and the service indication information.

其中，选择的AUSF/NSSAAF可以被称为认证网元。Wherein, the selected AUSF/NSSAAF may be referred to as an authentication network element.

所述第一AMF可以通过但不限于以下方式选择一个或多个认证网元：The first AMF may select one or more authentication network elements through, but not limited to, the following methods:

方式1：Method 1:

所述第一AMF可以根据所述业务指示信息，选择一个或者多个认证网元。The first AMF may select one or more authentication network elements according to the service indication information.

例如，当所述第一业务为所述第一AMF所在的移动通信***能够认证的业务(例如，所述第一业务的认证服务器为UDM)时，所述第一AMF可以选择AUSF作为认证网元。For example, when the first service is a service that can be authenticated by the mobile communication system where the first AMF is located (for example, the authentication server of the first service is UDM), the first AMF may select AUSF as the authentication network Yuan.

又例如，当所述第一业务为所述第一AMF所在的移动通信***之外的通信设备认证的业务(例如，所述第一业务的认证服务器为所述移动通信***之外的第三方AAA服务器(例如，AAA-S))时，所述第一AMF可以选择NSSAAF作为认证网元。For another example, when the first service is a service authenticated by a communication device outside the mobile communication system where the first AMF is located (for example, the authentication server of the first service is a third party outside the mobile communication system When the AAA server (for example, AAA-S)), the first AMF may select NSSAAF as the authentication network element.

再例如，当所述第一业务既包含第一AMF所在的移动通信***能够认证的业务，又包含所述移动通信***之外的通信设备能够认证的业务时，所述第一AMF可以选择AUSF和NSSAAF作为认证网元。例如，所述注册请求中的业务指示信息可以包括：业务ID1和业务ID2。如果业务ID1所指示的业务1的认证服务器为UDM，业务ID2所指示的业务2的认证服务器为所述AAA-S，则所述第一AMF可以选择AUSF和NSSAAF作为认证网元。For another example, when the first service includes both a service that can be authenticated by the mobile communication system where the first AMF is located, and a service that can be authenticated by a communication device outside the mobile communication system, the first AMF can choose the AUSF and NSSAAF as the authentication network element. For example, the service indication information in the registration request may include: service ID1 and service ID2. If the authentication server of service 1 indicated by service ID1 is UDM, and the authentication server of service 2 indicated by service ID2 is the AAA-S, then the first AMF may select AUSF and NSSAAF as authentication network elements.

方式2：Method 2:

所述第一AMF可以根据所述UE的身份信息(例如，SUPI和/或SUCI)，以及所述业务指示信息，选择一个或者多个认证网元。The first AMF may select one or more authentication network elements according to the UE's identity information (for example, SUPI and/or SUCI) and the service indication information.

例如，当所述UE属于所述第一AMF所在的移动通信***能够认证的UE，且所述第一业务为所述移动通信***能够认证的业务时，所述第一AMF可以选择AUSF作为认证网元。For example, when the UE belongs to a UE that can be authenticated by the mobile communication system where the first AMF is located, and the first service is a service that can be authenticated by the mobile communication system, the first AMF may select AUSF as the authentication service. network element.

又例如，当所述UE属于所述第一AMF所在的移动通信***之外的通信设备能够认证的UE，当所述第一业务为所述移动通信***之外的通信设备认证的业务时，所述第一AMF可以选择NSSAAF作为认证网元。For another example, when the UE belongs to a UE that can be authenticated by a communication device outside the mobile communication system where the first AMF is located, and when the first service is a service authenticated by a communication device outside the mobile communication system, The first AMF may select NSSAAF as the authentication network element.

再例如，当所述第一业务既包含第一AMF所在的移动通信***能够认证的业务，又包含所述移动通信***之外的通信设备认证的业务，且所述UE既能够被所述移动通信***认证，又能够被所述移动通信***之外的通信设备认证时，所述第一AMF可以选择AUSF和NSSAAF作为认证网元。For another example, when the first service includes both the service that can be authenticated by the mobile communication system where the first AMF is located and the service that can be authenticated by a communication device outside the mobile communication system, and the UE can be authenticated by the mobile communication system When the communication system is authenticated and can be authenticated by a communication device other than the mobile communication system, the first AMF may select AUSF and NSSAAF as authentication network elements.

S806：所述第一AMF发起对所述UE是否能实现所述第一业务的认证流程。S806: The first AMF initiates an authentication process on whether the UE can implement the first service.

其中，所述第一AMF可以通过向所述认证网元发送认证请求，来发起对UE的认证流程。相应的，所述认证网元接收来自所述第一AMF的认证请求。所述认证请求中可以包括所述UE请求的需要所述认证网元进行认证的业务的业务指示信息。Wherein, the first AMF may initiate an authentication procedure for the UE by sending an authentication request to the authentication network element. Correspondingly, the authentication network element receives the authentication request from the first AMF. The authentication request may include service indication information of a service requested by the UE that needs to be authenticated by the authentication network element.

例如，当所述第一AMF确定所述认证网元为AUSF时，所述第一AMF可以向所述AUSF发送认证请求，所述认证请求中包括所述第一业务指示信息。For example, when the first AMF determines that the authentication network element is an AUSF, the first AMF may send an authentication request to the AUSF, where the authentication request includes the first service indication information.

又例如，当所述第一AMF确定所述认证网元为NSSAAF时，所述第一AMF可以向所述NSSAAF发送认证请求，所述认证请求中包含所述第一业务指示信息。For another example, when the first AMF determines that the authentication network element is the NSSAAF, the first AMF may send an authentication request to the NSSAAF, where the authentication request includes the first service indication information.

再例如，当所述AMF确定所述认证网元为AUSF和NSSAAF时，所述第一AMF可以向所述AUSF发送包含业务ID1的认证请求，以及向所述NSSAAF发送包含业务ID2的认证请求。其中，所述业务ID1所指示的业务的认证服务器为UDM，所述业务ID2所指示的业务的认证服务器为所述第一AMF所在的移动通信***之外的AAA服务器。For another example, when the AMF determines that the authentication network elements are AUSF and NSSAAF, the first AMF may send an authentication request including service ID1 to the AUSF, and send an authentication request including service ID2 to the NSSAAF. Wherein, the authentication server of the service indicated by the service ID1 is UDM, and the authentication server of the service indicated by the service ID2 is an AAA server outside the mobile communication system where the first AMF is located.

S807：所述第一AMF根据认证结果，执行后续注册流程。S807: The first AMF executes a subsequent registration process according to the authentication result.

其中，所述第一AMF可以根据认证结果，确定接受或拒绝所述注册请求。具体过程可以参考S504，此处不再赘述。然后，所述第一AMF可以根据确定结果，执行后续注册流程。Wherein, the first AMF may determine to accept or reject the registration request according to the authentication result. For the specific process, reference may be made to S504, which will not be repeated here. Then, the first AMF may execute a subsequent registration process according to the determination result.

可选的，后续注册流程可以参考TS23.502第4.2.2.2章步骤10-25。Optionally, for the subsequent registration process, refer to steps 10-25 in Chapter 4.2.2.2 of TS23.502.

通过该方法，在注册流程中，AMF可以获得对所述UE是否能够实现请求的业务进行认证的认证结果。这样，所述AMF所在的移动通信***可以根据所述认证结果，为所述UE提供认证成功的业务，不为所述UE提供认证失败的业务，从而可以提高数据传输的安全性。Through this method, in the registration process, the AMF can obtain an authentication result for authenticating whether the UE can realize the requested service. In this way, according to the authentication result, the mobile communication system where the AMF is located can provide the UE with a service of successful authentication and not provide the UE with a service of failed authentication, thereby improving the security of data transmission.

下面结合图9和图10，对所述第一AMF发起的对所述UE是否能实现所述第一业务的认证流程进行说明。The authentication process initiated by the first AMF to determine whether the UE can implement the first service will be described below with reference to FIG. 9 and FIG. 10 .

方式1：所述第一AMF可以通过向所述AUSF发送认证请求，来发起所述认证流程。在本方式1中，认证服务器可以为UDM。下面结合图9，对该流程进行具体说明。Mode 1: the first AMF may initiate the authentication process by sending an authentication request to the AUSF. In this mode 1, the authentication server may be UDM. The process will be specifically described below with reference to FIG. 9 .

S901：所述UE向所述第一AMF发送注册请求。相应的，所述第一AMF接收来自所述UE的所述注册请求。S901: The UE sends a registration request to the first AMF. Correspondingly, the first AMF receives the registration request from the UE.

其中，所述注册请求可以包括所述第一业务的业务指示信息。Wherein, the registration request may include service indication information of the first service.

S901的具体内容可以参考S801-S802，此处不再赘述。For the specific content of S901, reference may be made to S801-S802, which will not be repeated here.

S902：所述第一AMF向所述AUSF发送第一认证请求。相应的，所述AUSF可以接收来自所述第一AMF的所述第一认证请求。S902: The first AMF sends a first authentication request to the AUSF. Correspondingly, the AUSF may receive the first authentication request from the first AMF.

其中，所述第一认证请求可以包含所述第一业务的业务指示信息。Wherein, the first authentication request may include service indication information of the first service.

可选的，所述第一认证请求中还可以包括以下至少一项：所述UE的身份信息(SUCI或SUPI)、序列号(sequence number，SN)名称(SN name)。Optionally, the first authentication request may further include at least one of the following: identity information (SUCI or SUPI) of the UE, and a sequence number (sequence number, SN) name (SN name).

S903：所述AUSF可以向UDM发送第二认证请求。相应的，所述UDM可以接收来自所述AUSF的所述第二认证请求。S903: The AUSF may send a second authentication request to the UDM. Correspondingly, the UDM may receive the second authentication request from the AUSF.

其中，所述第二认证请求可以包含所述第一业务的业务指示信息。Wherein, the second authentication request may include service indication information of the first service.

可选的，所述第二认证请求中还可以包括以下至少一项：所述UE的身份信息(SUCI或SUPI)、SN名称。Optionally, the second authentication request may further include at least one of the following: identity information (SUCI or SUPI) of the UE, and SN name.

在一些实现方式中，所述AUSF可以所述第一认证请求中的业务指示信息，向一个或多个认证服务器发送所述第二认证请求。In some implementation manners, the AUSF may send the second authentication request to one or more authentication servers using the service indication information in the first authentication request.

S904：所述UDM对所述UE是否能够实现所述第一业务进行认证。S904: The UDM authenticates whether the UE can implement the first service.

其中，所述UDM可以根据所述认证请求中的UE的身份信息和所述第一业务指示信息，对所述UE是否能够实现所述第一业务进行认证。Wherein, the UDM may authenticate whether the UE can implement the first service according to the identity information of the UE in the authentication request and the indication information of the first service.

可选的，所述UDM中可以存储有对业务进行认证的认证信息，所述UDM可以根据所述认证信息，对所述UE是否能够实现所述第一业务进行认证。Optionally, authentication information for authenticating services may be stored in the UDM, and the UDM may authenticate whether the UE can implement the first service according to the authentication information.

S904的具体内容可以参考S502，此处不再赘述。For the specific content of S904, reference may be made to S502, which will not be repeated here.

S905：所述UDM向所述AUSF发送第一认证响应。相应的，所述AUSF接收来自所述UDM的所述第一认证响应。S905: The UDM sends a first authentication response to the AUSF. Correspondingly, the AUSF receives the first authentication response from the UDM.

其中，所述第一认证响应可以包含所述第一业务的业务指示信息。Wherein, the first authentication response may include service indication information of the first service.

所述第一认证响应中包含所述UDM对所述UE是否能够实现所述第一业务进行认证得到的第一认证结果。The first authentication response includes a first authentication result obtained by the UDM authenticating whether the UE can implement the first service.

在一些实现方式中，所述UDM可以根据所述第二认证请求中的UE的身份信息和/或业务指示信息，向所述AUSF发送第一认证响应。In some implementation manners, the UDM may send the first authentication response to the AUSF according to the UE's identity information and/or service indication information in the second authentication request.

S906：所述AUSF触发对所述UE是否能够实现所述第一业务进行认证的后续流程。S906: The AUSF triggers a subsequent process of authenticating whether the UE can implement the first service.

可选的，对所述UE是否能够实现所述第一业务进行认证的后续流程可以参考TS33.501第6.1.3章。Optionally, for the subsequent process of authenticating whether the UE can implement the first service, reference may be made to Chapter 6.1.3 of TS33.501.

在本申请实施例中，所述UDM也可以被替换为认证凭证存储处理功能(authentication credential repository and processing Function，ARPF)。In the embodiment of the present application, the UDM may also be replaced by an authentication credential repository and processing Function (authentication credential repository and processing Function, ARPF).

通过该方法，AMF可以根据注册请求中的业务指示信息，向移动通信***内部的认证服务器发起基于业务的认证流程。这样，所述AMF所在的移动通信***可以根据认证结果，为所述UE提供认证成功的业务，不提供认证失败的业务，从而可以提高业务传输的安全性。Through this method, the AMF can initiate a service-based authentication process to the authentication server inside the mobile communication system according to the service indication information in the registration request. In this way, the mobile communication system where the AMF is located can provide the UE with services that have been successfully authenticated and not provide services that have failed to be authenticated according to the authentication result, thereby improving the security of service transmission.

方式2：所述第一AMF可以通过向所述NSSAAF发送认证请求，来发起所述认证流程。在本方式2中，认证服务器为所述第一AMF所在移动通信***之外的AAA-S。下面结合图10，对该流程进行具体说明。Mode 2: the first AMF may initiate the authentication process by sending an authentication request to the NSSAAF. In this mode 2, the authentication server is an AAA-S outside the mobile communication system where the first AMF is located. The process will be described in detail below with reference to FIG. 10 .

S1001：所述UE向所述第一AMF发送注册请求。相应的，所述第一AMF接收来自所述UE的所述注册请求。S1001: The UE sends a registration request to the first AMF. Correspondingly, the first AMF receives the registration request from the UE.

S1001的具体内容可以参考S801-S802，此处不再赘述。For the specific content of S1001, reference may be made to S801-S802, which will not be repeated here.

S1002：所述第一AMF向所述NSSAAF发送第三认证请求。相应的，所述NSSAAF接收来自所述第一AMF的所述第三认证请求。S1002: The first AMF sends a third authentication request to the NSSAAF. Correspondingly, the NSSAAF receives the third authentication request from the first AMF.

其中，所述第三认证请求可以包含所述第一业务的业务指示信息。Wherein, the third authentication request may include service indication information of the first service.

可选的，所述第三认证请求中还可以包括以下至少一项：所述UE的身份信息(SUCI或SUPI)、SN名称。Optionally, the third authentication request may further include at least one of the following: identity information (SUCI or SUPI) of the UE, and SN name.

S1003：所述NSSAAF向AAA-P发送第四认证请求。相应的，所述AAA-P接收来自所述NSSAAF的所述第四认证请求。S1003: The NSSAAF sends a fourth authentication request to the AAA-P. Correspondingly, the AAA-P receives the fourth authentication request from the NSSAAF.

其中，所述第四认证请求可以包含所述第一业务的业务指示信息。Wherein, the fourth authentication request may include service indication information of the first service.

可选的，所述第四认证请求中还可以包括以下至少一项：所述UE的身份信息(SUCI或SUPI)、SN名称。Optionally, the fourth authentication request may further include at least one of the following: identity information (SUCI or SUPI) of the UE, and SN name.

在一些实现方式中，所述NSSAAF可以所述第三认证请求中的业务指示信息，向一个或多个认证服务器发送所述第四认证请求。In some implementation manners, the NSSAAF may send the fourth authentication request to one or more authentication servers using the service indication information in the third authentication request.

S1004：所述AAA-P向所述AAA-S发送所述第四认证请求。相应的，所述AAA-S接收来自所述AAA-P的所述第四认证请求。S1004: The AAA-P sends the fourth authentication request to the AAA-S. Correspondingly, the AAA-S receives the fourth authentication request from the AAA-P.

S1005：所述AAA-S对所述UE是否能使用所述第一业务进行认证。S1005: The AAA-S authenticates whether the UE can use the first service.

其中，所述AAA-S可以根据所述第四认证请求中的所述UE的身份信息和第一业务的业务指示，对所述UE是否能使用所述目标业务进行认证。Wherein, the AAA-S may authenticate whether the UE can use the target service according to the identity information of the UE and the service indication of the first service in the fourth authentication request.

可选的，所述AAA-S中可以存储有对业务进行认证的认证信息，所述AAA-S可以根据所述认证信息，对所述UE是否能够实现所述第一业务进行认证。Optionally, the AAA-S may store authentication information for authenticating services, and the AAA-S may authenticate whether the UE can implement the first service according to the authentication information.

可选的，S1005的具体内容可以参考S502，此处不再赘述。Optionally, for specific content of S1005, reference may be made to S502, which will not be repeated here.

S1006：所述AAA-S向所述AAA-P发送第二认证响应。相应的，所述AAA-P接收来自所述AAA-S的所述第二认证响应。S1006: The AAA-S sends a second authentication response to the AAA-P. Correspondingly, the AAA-P receives the second authentication response from the AAA-S.

其中，所述第二认证响应中可以包括所述业务指示信息。Wherein, the second authentication response may include the service indication information.

可选的，所述认证响应中包含所述AAA-S对所述UE是否能够实现所述第一业务进行认证得到的第一认证结果。Optionally, the authentication response includes a first authentication result obtained by the AAA-S authenticating whether the UE can implement the first service.

在一些实现方式中，所述AAA-S可以根据所述第四认证请求中的UE的身份信息和/或业务指示信息，向所述AAA-P发送所述第二认证响应。In some implementation manners, the AAA-S may send the second authentication response to the AAA-P according to the identity information and/or service indication information of the UE in the fourth authentication request.

可选的，所述第二认证响应中还可以包含所述UE的身份信息(SUCI或SUPI)。Optionally, the second authentication response may further include identity information (SUCI or SUPI) of the UE.

S1007：所述AAA-P向所述NSSAAF发送所述第二认证响应。相应的，所述NSSAAF接收来自所述AAA-P的所述第二认证响应。S1007: The AAA-P sends the second authentication response to the NSSAAF. Correspondingly, the NSSAAF receives the second authentication response from the AAA-P.

S1008：所述NSSAAF向所述AMF发送第三认证响应。相应的，所述AMF接收来自所述NSSAAF的所述第三认证响应。S1008: The NSSAAF sends a third authentication response to the AMF. Correspondingly, the AMF receives the third authentication response from the NSSAAF.

其中，所述第三认证响应包括所述NSSAAF根据所述第一认证结果对所述UE是否能够实现所述第一业务进行认证得到的认证结果。Wherein, the third authentication response includes an authentication result obtained by the NSSAAF authenticating whether the UE can implement the first service according to the first authentication result.

可选的，所述第三认证响应中可以包括所述业务指示信息。Optionally, the third authentication response may include the service indication information.

在一些实现方式中，所述第三认证响应中还可以包含所述UE的身份信息(SUCI或SUPI)。In some implementation manners, the third authentication response may further include identity information (SUCI or SUPI) of the UE.

在接收到所述第二认证响应之后，所述NSSAAF可以触发后续认证流程，后续认证流程可以参考TS33.501。After receiving the second authentication response, the NSSAAF may trigger a subsequent authentication process, and the subsequent authentication process may refer to TS33.501.

在本申请实施例中，NSSAAF可以不通过AAA-P与AAA-S进行交互。例如，S1003和S1004可以替换为：所述NSSAAF向AAA-S发送所述第四认证请求；S1006和S1007可以替换为：所述AAA-S向所述NSSAAF发送所述第二认证响应。In this embodiment of the application, NSSAAF may not interact with AAA-S through AAA-P. For example, S1003 and S1004 may be replaced by: the NSSAAF sends the fourth authentication request to the AAA-S; S1006 and S1007 may be replaced by: the AAA-S sends the second authentication response to the NSSAAF.

通过该方法，AMF可以根据注册请求中的业务指示信息，向移动通信***外部的认证服务器发起基于业务的认证流程。这样，所述移动通信***可以根据认证结果，为所述UE提供认证成功的业务，不提供认证失败的业务，从而可以提高业务传输的安全性。Through this method, the AMF can initiate a service-based authentication process to an authentication server outside the mobile communication system according to the service indication information in the registration request. In this way, according to the authentication result, the mobile communication system can provide the UE with services of successful authentication and not provide services of failed authentication, thereby improving the security of service transmission.

可以理解，在本申请实施例中，所述第一AMF可以根据注册请求中的业务指示信息，向AUSF/NSSAAF发起针对一个或多个业务的认证请求。如图11所示。It can be understood that, in this embodiment of the present application, the first AMF may initiate an authentication request for one or more services to the AUSF/NSSAAF according to the service indication information in the registration request. As shown in Figure 11.

S1101：UE向AMF发送注册请求。相应的，所述AMF接收来自UE的注册请求。S1101: UE sends a registration request to AMF. Correspondingly, the AMF receives the registration request from the UE.

S1101的具体内容可以参考S801-S802，此处不再赘述。For the specific content of S1101, reference may be made to S801-S802, which will not be repeated here.

其中，所述注册请求可以包含：业务ID1和业务ID2。业务ID1为业务1的ID，业务ID2为业务2的ID。Wherein, the registration request may include: service ID1 and service ID2. Service ID1 is the ID of service 1, and service ID2 is the ID of service 2.

S1102：所述AMF向AUSF发送第一认证请求。S1102: The AMF sends a first authentication request to the AUSF.

其中，所述第一认证请求包含：业务ID1。Wherein, the first authentication request includes: service ID1.

可选的，所述AMF可以在确定UDM对所述UE是否能够实现业务1进行认证之后，向所述AUSF发送所述第一认证请求。Optionally, the AMF may send the first authentication request to the AUSF after determining whether the UDM authenticates whether the UE can implement service 1.

所述第一认证请求可以请求所述AUSF通过图9所示的方法对所述UE是否能实现所述业务1进行认证。在这种情况下，图9所示的方法中，第一业务为所述业务1。The first authentication request may request the AUSF to authenticate whether the UE can implement the service 1 through the method shown in FIG. 9 . In this case, in the method shown in FIG. 9 , the first service is the service 1 .

S1103：所述AMF向NSSAAF发送第三认证请求。相应的，所述NSSAAF接收来自所述AMF的第三认证请求。S1103: The AMF sends a third authentication request to the NSSAAF. Correspondingly, the NSSAAF receives the third authentication request from the AMF.

其中，所述第三认证请求包含：业务ID2。Wherein, the third authentication request includes: service ID2.

可选的，所述AMF可以在确定AAA-S对所述UE是否能够实现业务2进行认证之后，向所述NSSAAF发送所述第三认证请求。Optionally, the AMF may send the third authentication request to the NSSAAF after determining whether the AAA-S authenticates whether the UE can implement service 2.

所述第三认证请求可以请求所述NSSAAF通过图10所示的方式对所述UE是否能实现所述业务2进行认证。在这种情况下，图10所示的方法中，第一业务为所述业务2。The third authentication request may request the NSSAAF to authenticate whether the UE can implement the service 2 in the manner shown in FIG. 10 . In this case, in the method shown in FIG. 10 , the first service is the service 2 .

通过该方法，AMF可以根据注册请求中的多个业务的业务指示信息，向与所述多个业务对应的认证服务器发起基于业务的认证流程。这样，所述AMF所在的移动通信***可以根据认证结果，为所述UE提供认证成功的业务，不提供认证失败的业务，从而可以提高业务传输的安全性。Through this method, the AMF can initiate a service-based authentication process to the authentication server corresponding to the multiple services according to the service indication information of the multiple services in the registration request. In this way, the mobile communication system where the AMF is located can provide the UE with services that have been successfully authenticated and not provide services that have failed to be authenticated according to the authentication result, thereby improving the security of service transmission.

本申请实施例提供了一种通信方法。该方法可以适用于图1-图4所示的通信***中，参阅图12所示。该方法可以实现在终端设备的注册流程中对所述终端设备是否可以实现业务进行认证，这样，移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，从而可以提高业务传输的安全性。图中，第一AMF为所述终端设备即将接入的AMF，第二AMF为所述终端设备之前接入的AMF。在本实例中，第一AMF相当于图5所示方法中的第一通信设备，AUSF和/或NSSAAF相当于图5所示方法中的第二通信设备，UE和/或AN设备相当于图5所示方法中的第三通信设备，UDM和/或AAA-S相当于图5所示方法中的第四通信设备。为描述方便，下面以终端设备为UE为例进行说明。The embodiment of this application provides a communication method. The method can be applied to the communication systems shown in FIGS. 1-4 , as shown in FIG. 12 . The method can realize whether the terminal device can realize services during the registration process of the terminal device. In this way, the mobile communication system can provide the terminal device with the service of successful authentication, but not the service of failed authentication, thereby improving the service life. Transmission Security. In the figure, the first AMF is the AMF that the terminal device is about to access, and the second AMF is the AMF that the terminal device has accessed before. In this example, the first AMF is equivalent to the first communication device in the method shown in Figure 5, the AUSF and/or NSSAAF is equivalent to the second communication device in the method shown in Figure 5, and the UE and/or AN device is equivalent to the second communication device in the method shown in Figure 5. The third communication device in the method shown in FIG. 5 , UDM and/or AAA-S is equivalent to the fourth communication device in the method shown in FIG. 5 . For the convenience of description, the following takes the UE as an example for illustration.

S1201-S1203可以和S801-S803相同，此处不再赘述。S1201-S1203 may be the same as S801-S803, which will not be repeated here.

S1204：所述第一AMF发起UE上下文转移流程和认证流程。S1204: The first AMF initiates a UE context transfer process and an authentication process.

S1204的具体内容可以参考S804-S806以及TS23.502第4.2.2.2章步骤10-13。For the specific content of S1204, please refer to S804-S806 and steps 10-13 in Chapter 4.2.2.2 of TS23.502.

S1205a：所述第一AMF发起注册流程(Nudm_UECM_registration)。S1205a: The first AMF initiates a registration process (Nudm_UECM_registration).

可选的，所述第一AMF可以根据以下至少一项，向所述UDM发起注册请求：对所述UE是否能够实现所述第一业务的认证结果、与所述认证结果对应的业务指示信息。其中，与所述认证结果对应的业务指示信息可以为S503中第一响应包含的业务指示信息。Optionally, the first AMF may initiate a registration request to the UDM according to at least one of the following: an authentication result of whether the UE can implement the first service, and service indication information corresponding to the authentication result . Wherein, the service indication information corresponding to the authentication result may be the service indication information contained in the first response in S503.

当所述UE发送的注册请求中携带的业务指示信息指示多个业务(也就是说，所述第一业务为多个业务)时，所述第一AMF可以通过但不限于以下方式至少之一，向UDM发起注册流程：When the service indication information carried in the registration request sent by the UE indicates multiple services (that is, the first service is multiple services), the first AMF may use but not limited to at least one of the following methods , initiate the registration process to UDM:

方式1：Method 1:

所述第一AMF在接收到所述多个业务中全部业务的认证结果之后，可以选择认证成功的业务；并根据所述认证成功的业务，向所述UDM发起注册流程。After receiving the authentication results of all the services in the plurality of services, the first AMF may select a service with successful authentication; and initiate a registration process to the UDM according to the service with successful authentication.

方式2：Method 2:

所述第一AMF在预定时间内接收到所述多个业务中的部分或全部业务的认证结果之后，可以选择接收到的认证成功的业务；并根据所述认证成功的业务，向所述UDM发起注册流程。After the first AMF receives the authentication results of some or all of the multiple services within a predetermined time, it may select the received service with successful authentication; Initiate the registration process.

可选的，所述第一AMF可以通过第二定时器确定所述预定时间。例如，当所述第一AMF向所述认证网元发送认证请求时，可以开启所述第二定时器。所述第一AMF在所述第二定时器开启到所述第二定时器结束期间，可以接收所述多个业务中的部分或全部业务的认证结果。在第二定时器结束后，所述第一AMF可以选择接收到的认证成功的业务，并根据所述认证成功的业务，向所述UDM发起注册流程。Optionally, the first AMF may determine the predetermined time by using a second timer. For example, when the first AMF sends an authentication request to the authentication network element, the second timer may be started. The first AMF may receive authentication results of some or all of the multiple services during the period from the start of the second timer to the end of the second timer. After the second timer expires, the first AMF may select the received authentication-successful service, and initiate a registration process to the UDM according to the authentication-successful service.

方式3：Method 3:

所述第一AMF在接收到针对所述多个业务中至少一个业务的认证成功的认证结果之后，可以向所述UDM发起注册流程。The first AMF may initiate a registration process to the UDM after receiving an authentication result that the authentication for at least one of the multiple services is successful.

当所述第一AMF向所述UDM发起注册流程时，所述第一AMF可以将所述UE的认证成功的业务的业务指示信息发送给所述UDM。然后，所述UDM可以将所述UE的认证成功的业务的业务指示信息和与其关联的所述第一AMF的身份信息存储在UDM或UDR中。When the first AMF initiates a registration process to the UDM, the first AMF may send service indication information of the UE's authentication-successful service to the UDM. Then, the UDM may store the service indication information of the UE's successfully authenticated service and the identity information of the first AMF associated therewith in the UDM or UDR.

S1205b：所述第一AMF发起签约信息获取流程(Nudm_SDM_get)。S1205b: The first AMF initiates a subscription information acquisition process (Nudm_SDM_get).

通过所述签约信息获取流程，所述第一AMF可以从所述UDM获取所述UE的业务的签约信息。Through the subscription information obtaining procedure, the first AMF may obtain the service subscription information of the UE from the UDM.

其中，所述签约信息可以但不限于包括以下至少之一：所述UE可以接入的网络的信息、在所述UE可以接入的网络中所述UE可以实现的业务的业务指示信息。Wherein, the subscription information may include, but is not limited to, at least one of the following: information of a network that the UE can access, and service indication information of a service that the UE can implement in the network that the UE can access.

可选的，所述第一AMF还可以获取SMF选择信息。所述SMF选择信息可以指示与业务和SMF的对应关系。在会话建立流程中，所述AMF可以根据所述SMF选择信息和所述终端设备请求的业务，为所述终端设备选择合适的SMF。Optionally, the first AMF may also acquire SMF selection information. The SMF selection information may indicate the correspondence between the service and the SMF. In the session establishment process, the AMF may select an appropriate SMF for the terminal device according to the SMF selection information and the service requested by the terminal device.

S1205c：所述第一AMF向所述UDM发起签约流程。S1205c: The first AMF initiates a subscription process to the UDM.

其中，S1205c是可选的步骤。Wherein, S1205c is an optional step.

S1206：所述移动通信***执行后续注册流程。S1206: The mobile communication system executes a subsequent registration process.

其中，后续注册流程的具体内容可以参考TS23.502第4.2.2.2章步骤15-20。Among them, the specific content of the subsequent registration process can refer to steps 15-20 in Chapter 4.2.2.2 of TS23.502.

S1207：所述第一AMF向所述UE发送注册接受消息(registration accept)。相应的，所述UE接收来自所述第一AMF的所述注册接受消息。S1207: The first AMF sends a registration accept message (registration accept) to the UE. Correspondingly, the UE receives the registration acceptance message from the first AMF.

其中，所述注册接受消息可以包含所述UE请求的第一业务中每个业务的认证结果的指示信息。所述认证结果的指示信息可以指示所述UE请求的每个业务是认证成功还是认证失败。Wherein, the registration acceptance message may include indication information of an authentication result of each service in the first service requested by the UE. The indication information of the authentication result may indicate whether each service requested by the UE is authenticated successfully or failed.

可选的，所述认证结果还可以指示每个业务认证成功或认证失败的原因。Optionally, the authentication result may also indicate a reason for each service authentication success or authentication failure.

另外，所述注册接受消息中还可以包括所述UE请求的业务的签约信息。所述UE在接收到所述注册接受消息之后，可以更新本地存储的签约信息。In addition, the registration acceptance message may also include subscription information of the service requested by the UE. After receiving the registration acceptance message, the UE may update locally stored subscription information.

通过上述流程，所述UE可以成功注册到所述移动通信***中。Through the above procedure, the UE can be successfully registered in the mobile communication system.

在一些实现方式中，在UE注册成功之后，所述UE的认证成功或认证失败的业务可能会发生变化。在这种情况下，所述移动通信***可能会对所述UE的认证成功或认证失败的业务进行更新。下面结合图12对更新流程进行说明。In some implementation manners, after the UE successfully registers, services of the UE's authentication success or authentication failure may change. In this case, the mobile communication system may update the authentication success or authentication failure service of the UE. The update process will be described below with reference to FIG. 12 .

S1208：所述第一AMF确定发起UE配置更新流程。S1208: The first AMF determines to initiate a UE configuration update procedure.

所述第一AMF可以在接收到来自认证服务器的认证更新信息之后，确定需要发起UE配置更新流程。其中，所述认证更新信息可以指示所述UE的业务的认证结果的更新。例如，所述认证结果的更新可以是将认证成功的业务更新为认证失败的业务，也可以是将认证失败的业务更新为认证成功的业务。The first AMF may determine that a UE configuration update procedure needs to be initiated after receiving the authentication update information from the authentication server. Wherein, the authentication update information may indicate an update of the authentication result of the service of the UE. For example, the update of the authentication result may be to update the authentication-successful service to the authentication-failed service, or to update the authentication-failed service to the authentication-successful service.

所述认证更新信息中可以包含认证结果发生变化的业务的业务指示信息。The authentication update information may include service indication information of services whose authentication results have changed.

例如，对于所述UE的认证失败的第一目标业务，如果所述UE对应的用户订阅了该第一目标业务，则所述认证服务器可以将该第一目标业务更新为认证成功的业务。For example, for the first target service of which the authentication of the UE fails, if the user corresponding to the UE subscribes to the first target service, the authentication server may update the first target service to a service of successful authentication.

S1209：所述第一AMF向所述UE发送UE配置更新命令(UE configuration update command)，相应的，所述UE接收来自所述第一AMF的所述UE配置更新命令。S1209: The first AMF sends a UE configuration update command (UE configuration update command) to the UE, and correspondingly, the UE receives the UE configuration update command from the first AMF.

其中，所述UE配置更新命令可以包含所述认证更新信息。Wherein, the UE configuration update command may include the authentication update information.

S1210：所述移动通信***执行后续UE配置更新流程，更新所述UE认证成功或认证失败。S1210: The mobile communication system executes a subsequent UE configuration update process, and updates whether the UE has successfully authenticated or failed to authenticate.

通过该方法，在注册流程中，所述第一AMF可以获得对所述UE是否能够实现请求的业务进行认证的认证结果。这样，所述第一AMF所在的移动通信***可以根据所述认证结果，为所述UE提供认证成功的业务，不为所述UE提供认证失败的业务，从而可以提高数据传输的安全性。Through this method, in the registration process, the first AMF can obtain an authentication result for authenticating whether the UE can realize the requested service. In this way, according to the authentication result, the mobile communication system where the first AMF is located can provide the UE with a service of successful authentication and not provide the UE with a service of failed authentication, thereby improving the security of data transmission.

本申请实施例提供了一种通信方法。该方法可以适用于图1-图4所示的通信***中，参阅图13所示。该方法可以基于图8或图12所示的方法来实现，根据图8或图12所示的方法，在注册流程中，认证服务器对所述UE是否可以使用业务进行认证。在本方法中，移动通信***可以基于注册流程的认证结果，为所述UE提供认证成功的业务的会话，而不提供认证失败的业务的会话，从而可以提高业务传输的安全性。图13中的AMF可以为图8或图12中的第一AMF。在本实例中，AMF相当于图5所示方法中的第一通信设备。为描述方便，下面以终端设备为UE为例进行说明。The embodiment of this application provides a communication method. This method can be applied to the communication systems shown in FIGS. 1-4 , as shown in FIG. 13 . This method can be implemented based on the method shown in FIG. 8 or FIG. 12 . According to the method shown in FIG. 8 or FIG. 12 , in the registration process, the authentication server authenticates whether the UE can use the service. In this method, based on the authentication result of the registration process, the mobile communication system may provide the UE with a session of a service whose authentication is successful, but not a session of a service whose authentication fails, thereby improving the security of service transmission. The AMF in FIG. 13 may be the first AMF in FIG. 8 or FIG. 12 . In this example, the AMF is equivalent to the first communication device in the method shown in FIG. 5 . For the convenience of description, the following takes the UE as an example for illustration.

S1301：所述UE向AMF发送PDU会话建立请求(PDU session establishment request)。相应的，所述AMF接收来自所述UE的所述PDU会话建立请求。S1301: The UE sends a PDU session establishment request (PDU session establishment request) to the AMF. Correspondingly, the AMF receives the PDU session establishment request from the UE.

其中，所述UE可以在成功注册到移动通信***之后，向所述AMF发送PDU会话建立请求，以便发起PDU会话建立流程。所述PDU会话建立流程可以是所述UE触发的，也可以是所述移动通信***触发的。所述PDU会话建立请求可以为NAS消息。Wherein, the UE may send a PDU session establishment request to the AMF after successfully registering with the mobile communication system, so as to initiate a PDU session establishment process. The PDU session establishment procedure may be triggered by the UE or by the mobile communication system. The PDU session establishment request may be a NAS message.

可选的，所述会话建立请求可以包括所述UE请求传输的第三业务的业务指示信息。其中，所述第三业务可以是一个或多个业务。Optionally, the session establishment request may include service indication information of the third service that the UE requests to transmit. Wherein, the third service may be one or more services.

在一些可能的实现方式中，所述PDU会话建立请求中可以不包含以下至少一项信息：数据网络名称(data network name，DNN)、S-NSSAI、会话和业务连续性(session and service continuity，SSC)模式。所述移动通信***可以根据注册的业务信息来配置这些信息。In some possible implementations, the PDU session establishment request may not include at least one of the following information: data network name (data network name, DNN), S-NSSAI, session and service continuity (session and service continuity, SSC) mode. The mobile communication system can configure these information according to the registered service information.

S1302：所述AMF根据接收的所述PDU会话建立请求，为所述UE选择合适的SMF。S1302: The AMF selects an appropriate SMF for the UE according to the received PDU session establishment request.

其中，所述AMF可以基于所述PDU会话建立请求中的所述第三业务指示信息，选择SMF。Wherein, the AMF may select an SMF based on the third service indication information in the PDU session establishment request.

可选的，所述AMF还可以根据以下至少一项，选择所述SMF：所述AMF本地的配置信息、注册流程中获得的所述UE的签约信息、所述UE的SMF选择信息。Optionally, the AMF may also select the SMF according to at least one of the following: local configuration information of the AMF, subscription information of the UE obtained in a registration process, and SMF selection information of the UE.

例如，所述本地的配置信息或所述签约信息中包含所述UE对应的SMF信息。所述AMF根据所述UE对应的SMF信息或所述UE的SMF选择信息，选择合适的SMF。For example, the local configuration information or the subscription information includes the SMF information corresponding to the UE. The AMF selects an appropriate SMF according to the SMF information corresponding to the UE or the SMF selection information of the UE.

可选的，所述AMF可以通过但不限于以下方式获取所述UE的SMF选择信息。Optionally, the AMF may acquire the SMF selection information of the UE through but not limited to the following ways.

方式1：所述AMF可以通过签约信息获取流程获取所述UE的SMF选择信息。Way 1: The AMF can acquire the SMF selection information of the UE through a subscription information acquisition process.

方式2：所述AMF可以获取所述PDU会话建立请求中的所述UE的SMF选择信息。Mode 2: the AMF may acquire the SMF selection information of the UE in the PDU session establishment request.

S1303：所述AMF向选择的所述SMF发送建立SM上下文请求(Nsmf_PDU session_create SM context request)。相应的，所述SMF接收来自所述AMF的所述建立SM上下文请求。S1303: The AMF sends an SM context establishment request (Nsmf_PDU session_create SM context request) to the selected SMF. Correspondingly, the SMF receives the SM context establishment request from the AMF.

其中，所述建立SM上下文请求可以包括所述第三业务指示信息。所述第三业务指示信息的具体内容可以参考图5所示的方法。Wherein, the request for establishing an SM context may include the third service indication information. For specific content of the third service indication information, reference may be made to the method shown in FIG. 5 .

可选的，所述建立SM上下文请求可以包含所述PDU会话建立请求。Optionally, the SM context establishment request may include the PDU session establishment request.

S1304：所述SMF在获取签约信息流程中，从UDM获取所述UE的签约信息(subscription data)。S1304: The SMF acquires subscription information (subscription data) of the UE from the UDM in the process of acquiring subscription information.

其中，所述UE的签约信息可以指示所述UE的注册成功的业务。例如，所述UE的签约信息可以包括所述UE能够在所述移动通信***中实现的业务的业务指示信息。Wherein, the subscription information of the UE may indicate a service of successful registration of the UE. For example, the subscription information of the UE may include service indication information of services that the UE can implement in the mobile communication system.

可选的，所述SMF可以但不限于根据以下至少一项，确定接受或拒绝所述PDU会话建立请求：所述第三业务的业务指示信息、所述签约信息指示的所述UE的注册成功的业务。当所述第三业务为所述UE的注册成功的业务时，所述SMF接受该PDU会话建立请求，并继续后续PDU会话建立流程；否则，所述SMF拒绝所述PDU会话建立请求。Optionally, the SMF may, but not limited to, determine to accept or reject the PDU session establishment request according to at least one of the following: service indication information of the third service, successful registration of the UE indicated by the subscription information Business. When the third service is a service successfully registered by the UE, the SMF accepts the PDU session establishment request and continues the subsequent PDU session establishment process; otherwise, the SMF rejects the PDU session establishment request.

当拒绝所述PDU会话建立请求时，所述SMF可以向所述AMF发送PDU会话建立的失败原因。所述失败原因可以包括：业务未注册、业务未认证。When rejecting the PDU session establishment request, the SMF may send the failure reason of the PDU session establishment to the AMF. The failure reasons may include: the service is not registered and the service is not authenticated.

S1305：所述SMF向所述AMF发送建立SM上下文响应(Nsmf_PDU session_Create SM context response)。相应的，所述AMF接收来自所述SMF的建立SM上下文响应。S1306：所述移动通信***执行PDU会话认证授权(PDU session authentication/authorization)流程。S1305: The SMF sends an SM context creation response (Nsmf_PDU session_Create SM context response) to the AMF. Correspondingly, the AMF receives an SM context establishment response from the SMF. S1306: The mobile communication system executes a PDU session authentication/authorization (PDU session authentication/authorization) process.

S1307a：所述SMF为所述UE选择PCF。S1307a: The SMF selects a PCF for the UE.

S1307b：所述SMF向选择的所述PCF发起SM策略关联建立/修改(SM policy association establishment or SM policy association modification)流程，以从所述PCF实体获取策略和计费控制(policy and charging control，PCC)规则等信息。S1307b: The SMF initiates an SM policy association establishment or SM policy association modification (SM policy association establishment or SM policy association modification) process to the selected PCF, so as to acquire policy and charging control (policy and charging control, PCC) from the PCF entity ) rules and other information.

S1307a和S1307b是可选的步骤。S1307a and S1307b are optional steps.

S1308：所述SMF根据所述UE的位置信息和签约信息，以及SM策略关联等信息，为所述UE选择合适的UPF。S1308: The SMF selects an appropriate UPF for the UE according to the UE's location information, subscription information, and SM policy association information.

S1309：当所述SMF在S1307中获取的所述PCC规则为动态PCC规则时，所述SMF向所述PCF发起SM策略关联修改流程，以从所述PCF获取更新的PCC规则。S1309: When the PCC rule obtained by the SMF in S1307 is a dynamic PCC rule, the SMF initiates an SM policy association modification process to the PCF, so as to obtain an updated PCC rule from the PCF.

需要注意的是，若所述SMF在S1307中获取的所述PCC规则不为动态PCC规则，则所述SMF可以不执行S1309，因此，S1309为可选步骤。It should be noted that, if the PCC rule acquired by the SMF in S1307 is not a dynamic PCC rule, the SMF may not execute S1309, therefore, S1309 is an optional step.

S1310a：所述SMF向所述UPF发送N4会话建立/修改请求(N4session establishment/modification request)。S1310a: The SMF sends an N4 session establishment/modification request (N4 session establishment/modification request) to the UPF.

S1310b：所述UPF向所述SMF发送N4会话建立/修改响应(N4session establishment/modification response)。S1310b: The UPF sends an N4 session establishment/modification response (N4 session establishment/modification response) to the SMF.

S1311：所述移动通信***执行后续PDU会话建立流程。S1311: The mobile communication system executes a subsequent PDU session establishment process.

后续PDU会话建立流程的具体内容可以参考TS23.502第4.3.2.3章。Please refer to Chapter 4.3.2.3 of TS23.502 for the specific content of the subsequent PDU session establishment process.

通过该方法，在会话建立流程中，所述移动通信***可以根据会话建立请求中UE请求的业务的指示信息和注册流程中确定的所述UE在当前网络注册成功的业务，为所述UE建立受限的PDU会话。也就是说，所述移动通信***为UE注册成功的业务建立会话，不为UE注册失败的业务建立会话，从而可以为UE提供注册成功的业务，不为UE提供注册失败的业务，进而可以提高业务传输的安全性。Through this method, in the session establishment process, the mobile communication system can establish a session for the UE according to the indication information of the service requested by the UE in the session establishment request and the service determined in the registration process that the UE has successfully registered in the current network. Restricted PDU sessions. That is to say, the mobile communication system establishes a session for the service that the UE registers successfully, and does not establish a session for the service that the UE fails to register, so that the UE can provide the service that is successfully registered, and does not provide the service for the UE that fails to register, thereby improving Security of business transmission.

在一些实现方式中，图13所示的方法也可以在传统注册流程的基础上实现，其中，所述传统注册流程可以为认证服务器未对所述UE是否能够实现业务进行认证的注册流程。在本实例中，SMF相当于图5所示方法中的第一通信设备，AAA-S相当于图5所示方法中的第二通信设备，AMF相当于图5所示方法中的第三通信设备。下面对该实现方式进行具体说明。In some implementation manners, the method shown in FIG. 13 may also be implemented on the basis of a traditional registration process, where the traditional registration process may be a registration process in which the authentication server does not authenticate whether the UE can implement services. In this example, SMF is equivalent to the first communication device in the method shown in Figure 5, AAA-S is equivalent to the second communication device in the method shown in Figure 5, and AMF is equivalent to the third communication device in the method shown in Figure 5 equipment. The implementation manner will be described in detail below.

S1304可以被替换为：所述SMF在获取签约信息流程中，从UDM获取所述UE的签约信息(subscription data)。所述SMF获取的签约信息可以不指示注册成功的业务。S1306中，所述SMF可以根据会话建立请求中的业务指示信息，向认证服务器(例如，所述移动通信***之外的AAA-S)发起认证流程，请求所述认证服务器对所述UE是否能够执行所述UE请求的业务进行认证。S1304 may be replaced by: the SMF obtains the subscription information (subscription data) of the UE from the UDM in the process of obtaining the subscription information. The subscription information acquired by the SMF may not indicate a service that is successfully registered. In S1306, the SMF may initiate an authentication process to an authentication server (for example, an AAA-S outside the mobile communication system) according to the service indication information in the session establishment request, and request the authentication server to verify whether the UE can Executing the service requested by the UE for authentication.

可选的，S1301和S1303中，PDU会话建立请求中还可以包含以下至少一项：第一指示信息、第二指示信息。其中，所述第一指示信息可以指示是否需要对所述UE能否实现业务进行认证，所述第二指示信息可以指示执行认证处理的认证服务器。在S1306中，所述SMF可以根据以下至少一项，确定需要对所述UE是否能够执行业务进行认证以及认证服务器：所述第一指示信息、所述第二指示信息、业务指示信息和SMF本地的配置信息。然后，所述SMF向所述认证服务器发送认证流程，以便对所述UE是否能够执行所述UE请求的业务进行认证。Optionally, in S1301 and S1303, the PDU session establishment request may further include at least one of the following: first indication information and second indication information. Wherein, the first indication information may indicate whether authentication needs to be performed on whether the UE can implement services, and the second indication information may indicate an authentication server that performs authentication processing. In S1306, the SMF may determine whether the UE can perform service authentication and the authentication server according to at least one of the following: the first indication information, the second indication information, the service indication information, and the SMF local configuration information. Then, the SMF sends an authentication process to the authentication server, so as to authenticate whether the UE can perform the service requested by the UE.

确定需要对所述UE是否能够执行业务进行认证以及认证服务器的方法可以但不限于包括以下至少一项：The method for determining whether authentication needs to be performed on the UE and the authentication server may include, but is not limited to, at least one of the following:

方式1：所述SMF可以在根据第一指示信息，确定需要对所述UE是否能够执行业务进行认证之后，根据所述第二指示信息，确定认证服务器的地址。Way 1: The SMF may determine the address of the authentication server according to the second indication information after determining whether authentication needs to be performed on whether the UE can perform services according to the first indication information.

方式:2：所述SMF可以在根据第一指示信息，确定需要对所述UE是否能够执行业务进行认证之后，根据所述SMF本地的配置信息，确定能够与所述SMF交互的多个认证服务器，然后，根据所述第二指示信息，从所述多个认证服务器中选择一个认证服务器作为对所述UE是否能够执行业务进行认证的认证服务器。Mode: 2: After the SMF determines, according to the first indication information, that it is necessary to authenticate whether the UE can perform services, according to the local configuration information of the SMF, determine a plurality of authentication servers that can interact with the SMF , and then, according to the second indication information, select an authentication server from the plurality of authentication servers as the authentication server for authenticating whether the UE can perform services.

方式3：所述SMF可以在根据第一指示信息，确定需要对所述UE是否能够执行业务进行认证之后，根据所述第二指示信息，确定能够与所述SMF交互的多个认证服务器，然后，根据所述SMF本地的配置信息，从所述多个认证服务器中选择一个认证服务器作为对所述UE是否能够执行业务进行认证的认证服务器。Mode 3: After the SMF determines, according to the first indication information, that authentication needs to be performed on whether the UE can perform services, according to the second indication information, determine a plurality of authentication servers that can interact with the SMF, and then , according to the local configuration information of the SMF, select an authentication server from the plurality of authentication servers as the authentication server for authenticating whether the UE can perform services.

下面结合图14，对所述SMF发起的认证流程进行说明。The authentication process initiated by the SMF will be described below with reference to FIG. 14 .

S1401：所述SMF向UPF发起N4会话建立(N4session establishment)流程。S1401: The SMF initiates an N4 session establishment (N4 session establishment) process to the UPF.

S1402：所述SMF向DN中的AAA-S发送第五认证请求。相应的，所述DN中的AAA-S接收来自所述SMF的所述第五认证请求。S1402: The SMF sends a fifth authentication request to the AAA-S in the DN. Correspondingly, the AAA-S in the DN receives the fifth authentication request from the SMF.

其中，所述第五认证请求中可以包含所述UE请求的业务的业务指示信息，所述第五认证请求可以请求对所述UE是否能实现所述UE请求的业务进行认证。Wherein, the fifth authentication request may include service indication information of the service requested by the UE, and the fifth authentication request may request to authenticate whether the UE can realize the service requested by the UE.

S1403a：所述AAA-S向所述SMF发送第五认证响应。相应的，所述SMF接收来自所述AAA-S的所述第五认证响应。S1403a: The AAA-S sends a fifth authentication response to the SMF. Correspondingly, the SMF receives the fifth authentication response from the AAA-S.

其中，所述第五认证响应中可以包含所述UE请求的业务的业务指示信息。Wherein, the fifth authentication response may include service indication information of the service requested by the UE.

S1403b：所述SMF向所述AMF发起N1N2消息转移(Namf_communication_N1N2MessageTransfer)流程。S1403b: The SMF initiates a N1N2 message transfer (Namf_communication_N1N2MessageTransfer) process to the AMF.

可选的，所述SMF可以通过所述N1N2消息转移流程向所述AMF发送所述UE请求的业务的业务指示信息。Optionally, the SMF may send service indication information of the service requested by the UE to the AMF through the N1N2 message transfer process.

S1403c：所述AMF向所述UE发送第一NAS SM传输(NAS SM transport)消息。相应的，所述UE接收来自所述AMF的所述第一NAS SM传输消息。S1403c: The AMF sends a first NAS SM transport (NAS SM transport) message to the UE. Correspondingly, the UE receives the first NAS SM transmission message from the AMF.

其中，所述第一NAS SM传输消息可以为认证消息。Wherein, the first NAS SM transmission message may be an authentication message.

所述第一NAS SM传输消息可以包括所述UE请求的业务的业务指示信息。The first NAS SM transmission message may include service indication information of the service requested by the UE.

S1403d：所述UE向所述AMF发送第二NAS SM传输消息。相应的，所述AMF接收来自所述UE的所述第二NAS SM传输消息。S1403d: The UE sends a second NAS SM transmission message to the AMF. Correspondingly, the AMF receives the second NAS SM transmission message from the UE.

其中，所述第二NAS SM传输消息可以为认证消息。Wherein, the second NAS SM transmission message may be an authentication message.

所述第二NAS SM传输消息可以包括所述UE请求的业务的业务指示信息。The second NAS SM transmission message may include service indication information of the service requested by the UE.

可选的，所述NAS SM传输消息中还可以包含所述UE对所述UE是否能够实现请求的业务的认证结果。Optionally, the NAS SM transmission message may also include an authentication result of the UE on whether the UE can implement the requested service.

S1403e：所述AMF向所述SMF发起更新SM上下文(Nsmf_PDU session_updateSMcontext)流程。S1403e: The AMF initiates an update SM context (Nsmf_PDU session_updateSMcontext) process to the SMF.

其中，更新SM上下文流程中的消息可以为N1SM消息(N1SM message)。Wherein, the message in the process of updating the SM context may be an N1SM message (N1SM message).

更新SM上下文流程中的消息可以包括所述UE请求的业务的业务指示信息。The message in the update SM context procedure may include service indication information of the service requested by the UE.

可选的，所述AMF可以在所述更新SM上下文流程中，向所述SMF发送所述UE对所述UE是否能够实现请求的业务的认证结果。Optionally, the AMF may send the UE an authentication result of whether the UE can realize the requested service to the SMF in the process of updating the SM context.

S1403f：所述SMF向所述AAA-S发送第六认证请求。相应的，所述AAA-S接收来自所述SMF的所述第六认证请求。S1403f: The SMF sends a sixth authentication request to the AAA-S. Correspondingly, the AAA-S receives the sixth authentication request from the SMF.

其中，所述第六认证请求中可以包含所述UE请求的业务的业务指示信息。Wherein, the sixth authentication request may include service indication information of the service requested by the UE.

S1404：所述AAA-S向所述SMF发送第六认证响应。相应的，所述SMF接收来自所述AAA-S的所述第六认证响应。S1404: The AAA-S sends a sixth authentication response to the SMF. Correspondingly, the SMF receives the sixth authentication response from the AAA-S.

其中，所述第六认证响应中可以包含所述UE请求的业务的业务指示信息。所述第六认证响应中包含对所述UE是否能够实现所述请求的业务的第一认证结果(例如，所述AAA-S对所述UE是否能够实现所述请求的业务的认证结果)。Wherein, the sixth authentication response may include service indication information of the service requested by the UE. The sixth authentication response includes a first authentication result on whether the UE can implement the requested service (for example, the AAA-S authentication result on whether the UE can implement the requested service).

S1405：所述移动通信***根据所述第一认证结果，继续执行后续PDU会话建立流程。S1405: The mobile communication system continues to execute a subsequent PDU session establishment process according to the first authentication result.

当所述第一认证结果包含所述UE能够实现请求的业务，则接受所述PDU会话建立请求；否则，拒绝所述PDU会话建立请求。When the first authentication result includes that the UE can implement the requested service, accept the PDU session establishment request; otherwise, reject the PDU session establishment request.

S1406：所述SMF向所述AAA-S发送分配的IP地址。S1406: The SMF sends the allocated IP address to the AAA-S.

该步骤是可选的。This step is optional.

通过图13和图14所示的方法，在会话建立流程中，所述SMF可以请求AAA-S对所述UE是否能够实现请求的业务进行认证，并获得认证结果。这样，根据所述认证结果，所述SMF所在的移动通信***可以为所述UE提供认证成功的业务，不为所述UE提供认证失败的业务，从而可以提高数据传输的安全性。Through the methods shown in FIG. 13 and FIG. 14 , in the session establishment process, the SMF may request the AAA-S to authenticate whether the UE can implement the requested service, and obtain the authentication result. In this way, according to the authentication result, the mobile communication system where the SMF is located can provide services for the UE with successful authentication and not provide services for the UE with failed authentication, thereby improving the security of data transmission.

本申请实施例提供了一种通信方法。该方法可以适用于图1-图4所示的通信***中，参阅图15、图16和图12所示。该方法可以实现在网络切片认证流程中对所述终端设备是否能够在网络切片上实现业务进行认证，这样，移动通信***可以为终端设备提供认证成功的业务，而不提供认证失败的业务，从而可以提高业务传输的安全性。在本实例中，第一AMF或AMF相当于图5所示方法中的第一通信设备，NSSAAF相当于图5所示方法中的第二通信设备，UE和/或AN设备相当于图5所示方法中的第三通信设备，AAA-S相当于图5所示方法中的第四通信设备。为描述方便，下面以终端设备为UE为例进行说明。The embodiment of this application provides a communication method. The method can be applied to the communication systems shown in FIGS. 1-4 , as shown in FIG. 15 , FIG. 16 and FIG. 12 . The method can implement authentication on whether the terminal device can implement services on the network slice during the network slice authentication process, so that the mobile communication system can provide the terminal device with services that have been successfully authenticated, but not services that have failed to be authenticated, thereby The security of service transmission can be improved. In this example, the first AMF or AMF is equivalent to the first communication device in the method shown in Figure 5, the NSSAAF is equivalent to the second communication device in the method shown in Figure 5, and the UE and/or AN device is equivalent to the method shown in Figure 5 The third communication device in the method shown in FIG. 5 is equivalent to the fourth communication device in the method shown in FIG. 5 . For the convenience of description, the following takes the UE as an example for illustration.

图15示出了网络切片认证的简要流程。Fig. 15 shows a brief flow of network slice authentication.

S1501：UE向AMF发送注册请求。相应的，所述AMF接收来自所述UE的所述注册请求。S1501: UE sends a registration request to AMF. Correspondingly, the AMF receives the registration request from the UE.

其中，所述注册请求可以包含第一网络切片指示信息和第一业务指示信息。所述第一网络切片指示信息可以指示所述UE请求的第一网络切片，所述第一业务指示信息可以指示与所述第一网络切片中的每个网络切片关联的第一业务。Wherein, the registration request may include first network slice indication information and first service indication information. The first network slice indication information may indicate the first network slice requested by the UE, and the first service indication information may indicate a first service associated with each network slice in the first network slice.

S1502：所述AMF向NSSAAF发送第七认证请求。相应的，所述NSSAAF接收来自所述AMF的所述第七认证请求。S1502: The AMF sends a seventh authentication request to the NSSAAF. Correspondingly, the NSSAAF receives the seventh authentication request from the AMF.

其中，所述第七认证请求可以包含所述第一网络切片指示信息和所述第一业务指示信息。所述第七认证请求可以请求对所述UE是否能够在所述第一网络切片上实现所述第一业务进行认证。Wherein, the seventh authentication request may include the first network slice indication information and the first service indication information. The seventh authentication request may request to authenticate whether the UE can implement the first service on the first network slice.

S1503：所述NSSAAF向AAA-P发送第八认证请求。相应的，所述AAA-P接收来自所述NSSAAF的所述第八认证请求。S1503: The NSSAAF sends an eighth authentication request to the AAA-P. Correspondingly, the AAA-P receives the eighth authentication request from the NSSAAF.

其中，所述第八认证请求可以包含所述第一网络切片指示信息和所述第一业务指示信息。Wherein, the eighth authentication request may include the first network slice indication information and the first service indication information.

S1504：所述AAA-P向AAA-S发送所述第八认证请求。相应的，所述AAA-S接收来自所述AAA-P的所述第八认证请求。S1504: The AAA-P sends the eighth authentication request to the AAA-S. Correspondingly, the AAA-S receives the eighth authentication request from the AAA-P.

所述第八认证请求可以请求所述AAA-S对所述UE是否能够在所述第一网络切片上实现所述第一业务进行认证。The eighth authentication request may request the AAA-S to authenticate whether the UE can implement the first service on the first network slice.

在一些实现方式中，所述NSSAAF可以直接与AAA-S交互。在这种情况下，S1503和S1504可以被替换为：所述NSSAAF向AAA-S发送第八认证请求。In some implementations, the NSSAAF may interact directly with the AAA-S. In this case, S1503 and S1504 may be replaced by: the NSSAAF sends an eighth authentication request to the AAA-S.

图16示出了网络切片认证的具体流程。该流程的内容可以参考TS23.502第4.2.9.2章。本申请实施例在TS23.502第4.2.9.2章的基础上，在各消息中添加了业务指示信息。下面结合附图对该流程进行具体说明。Fig. 16 shows the specific flow of network slice authentication. The content of this process can refer to Chapter 4.2.9.2 of TS23.502. In this embodiment of the application, on the basis of Chapter 4.2.9.2 of TS23.502, service indication information is added to each message. The process will be described in detail below in conjunction with the accompanying drawings.

S1601：AMF触发网络切片认证(slice-specific authentication and authorisation)流程。S1601: The AMF triggers a network slice authentication (slice-specific authentication and authorization) process.

可选的，AMF可以根据UE的注册请求，触发网络切片认证流程；也可以基于其他内容，触发网络切片认证流程，例如，AMF可以基于AAA-S触发的用于S-NSSAI的UE再认证和再授权流程，触发网络切片认证流程。Optionally, the AMF can trigger the network slice authentication process according to the registration request of the UE; it can also trigger the network slice authentication process based on other content, for example, the AMF can trigger the UE re-authentication and The re-authorization process triggers the network slice authentication process.

当所述AMF根据所述UE的注册请求，触发网络切片认证流程时，所述注册请求可以包含：所述UE请求的第一网络切片的网络切片指示信息、每个网络切片关联的业务的业务指示信息。When the AMF triggers the network slice authentication process according to the registration request of the UE, the registration request may include: the network slice indication information of the first network slice requested by the UE, the service of the service associated with each network slice Instructions.

S1602：所述AMF向所述UE发送第一NAS移动性管理(mobility management，MM)传输(NAS MM transport)消息。相应的，所述UE接收来自所述AMF的所述第一NAS MM传输消息。S1602: The AMF sends a first NAS mobility management (mobility management, MM) transport (NAS MM transport) message to the UE. Correspondingly, the UE receives the first NAS MM transmission message from the AMF.

其中，所述第一NAS MM传输消息中可以包括以下至少一项：用于S-NSSAI的扩展认证协议(extensible authentication protocol，EAP)ID请求(EAP ID request)、S-NSSAI。Wherein, the first NAS MM transmission message may include at least one of the following: an extensible authentication protocol (extensible authentication protocol, EAP) ID request (EAP ID request) for S-NSSAI, and S-NSSAI.

S1603：所述UE向所述AMF发送第二NAS MM传输消息。相应的，所述AMF接收来自所述UE的第二NAS MM传输消息。S1603: The UE sends a second NAS MM transmission message to the AMF. Correspondingly, the AMF receives the second NAS MM transmission message from the UE.

其中，所述第二NAS MM传输消息中可以包括以下至少一项：用于S-NSSAI的EAP ID响应(EAP ID response)、S-NSSAI。Wherein, the second NAS MM transmission message may include at least one of the following: EAP ID response (EAP ID response) for S-NSSAI, S-NSSAI.

S1604：所述AMF向NSSAAF发送第九认证请求(Nnssaaf_NSSAA_Authenticate Request)。相应的，所述NSSAAF接收来自所述AMF的所述第九认证请求。S1604: The AMF sends a ninth authentication request (Nnssaaf_NSSAA_Authenticate Request) to the NSSAAF. Correspondingly, the NSSAAF receives the ninth authentication request from the AMF.

其中，所述第九认证请求可以包括以下至少一项：EAP ID响应、S-NSSAI、通用公共用户标识(generic public subscription identifier，GPSI)、与所述S-NSSAI关联的业务指示信息。Wherein, the ninth authentication request may include at least one of the following: EAP ID response, S-NSSAI, generic public subscription identifier (generic public subscription identifier, GPSI), and service indication information associated with the S-NSSAI.

S1605：所述NSSAAF向AAA-P发送第一AAA协议消息(AAA protocol message)。相应的，所述AAA-P接收来自所述NSSAAF的所述第一AAA协议消息。S1605: The NSSAAF sends a first AAA protocol message (AAA protocol message) to the AAA-P. Correspondingly, the AAA-P receives the first AAA protocol message from the NSSAAF.

其中，所述第一AAA协议消息可以包括以下至少一项：EAP ID响应、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the first AAA protocol message may include at least one of the following: EAP ID response, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

S1606：所述AAA-P向AAA-S发送第二AAA协议消息。相应的，所述AAA-S接收来自所述AAA-P的第二AAA协议消息。S1606: The AAA-P sends a second AAA protocol message to the AAA-S. Correspondingly, the AAA-S receives the second AAA protocol message from the AAA-P.

其中，所述第二AAA协议消息可以包括以下至少一项：所述EAP ID响应、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the second AAA protocol message may include at least one of the following: the EAP ID response, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

S1607：所述AAA-S向所述AAA-P发送第三AAA协议消息。相应的，所述AAA-P接收来自所述AAA-S的所述第三AAA协议消息。S1607: The AAA-S sends a third AAA protocol message to the AAA-P. Correspondingly, the AAA-P receives the third AAA protocol message from the AAA-S.

其中，所述第三AAA协议消息可以包括以下至少一项：EAP消息(EAP message)、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the third AAA protocol message may include at least one of the following: EAP message (EAP message), S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

S1608：所述AAA-P向所述NSSAAF发送第四AAA协议消息。相应的，所述NSSAAF接收来自所述AAA-P的所述第四AAA协议消息。S1608: The AAA-P sends a fourth AAA protocol message to the NSSAAF. Correspondingly, the NSSAAF receives the fourth AAA protocol message from the AAA-P.

其中，所述第四AAA协议消息可以包括以下至少一项：EAP message、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the fourth AAA protocol message may include at least one of the following: EAP message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

S1609：所述NSSAAF向所述AMF发送第九认证响应(Nnssaaf_NSSAA_Authenticate Response)。相应的，所述AMF接收来自所述NSSAAF的所述第九认证响应。S1609: The NSSAAF sends a ninth authentication response (Nnssaaf_NSSAA_Authenticate Response) to the AMF. Correspondingly, the AMF receives the ninth authentication response from the NSSAAF.

其中，所述第九认证响应可以包括以下至少一项：EAP消息、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the ninth authentication response may include at least one of the following: EAP message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

S1610：所述AMF向所述UE发送第三NAS MM传输消息。相应的，所述UE接收来自所述AMF的所述第三NAS MM传输消息。S1610: The AMF sends a third NAS MM transmission message to the UE. Correspondingly, the UE receives the third NAS MM transmission message from the AMF.

其中，所述第三NAS MM传输消息可以包括以下至少一项：EAP消息、S-NSSAI、与所述S-NSSAI关联的业务指示信息。Wherein, the third NAS MM transmission message may include at least one of the following: EAP message, S-NSSAI, and service indication information associated with the S-NSSAI.

S1611：所述UE向所述AMF发送第四NAS MM传输消息。相应的，所述AMF接收来自所述UE的所述第四NAS MM传输消息。S1611: The UE sends a fourth NAS MM transmission message to the AMF. Correspondingly, the AMF receives the fourth NAS MM transmission message from the UE.

其中，所述第四NAS MM传输消息可以包括以下至少一项：EAP消息、S-NSSAI、与所述S-NSSAI关联的业务指示信息。Wherein, the fourth NAS MM transmission message may include at least one of the following: EAP message, S-NSSAI, and service indication information associated with the S-NSSAI.

S1612：所述AMF向所述NSSAAF发送第十认证请求(Nnssaaf_NSSAA_Authenticate Request)。相应的，所述NSSAAF接收来自所述AMF的所述第十认证请求。S1612: The AMF sends a tenth authentication request (Nnssaaf_NSSAA_Authenticate Request) to the NSSAAF. Correspondingly, the NSSAAF receives the tenth authentication request from the AMF.

其中，所述第十认证请求可以包括以下至少一项：所述EAP消息、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the tenth authentication request may include at least one of the following: the EAP message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

S1613：所述NSSAAF向所述AAA-P发送第五AAA协议消息。相应的，所述AAA-P接收来自所述NSSAAF的所述第五AAA协议消息。S1613: The NSSAAF sends a fifth AAA protocol message to the AAA-P. Correspondingly, the AAA-P receives the fifth AAA protocol message from the NSSAAF.

其中，所述第五AAA协议消息可以包括以下至少一项：所述EAP消息、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the fifth AAA protocol message may include at least one of the following: the EAP message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

可选的，所述第五AAA协议消息还可以包括所述AAA-S的地址。Optionally, the fifth AAA protocol message may also include the address of the AAA-S.

S1614：所述AAA-P可以根据AAA-S的地址，向所述AAA-S发送第六AAA协议消息，以便所述AAA-S对所述UE是否能在请求网络切片上实现请求的业务进行认证。相应的，所述AAA-S接收来自所述AAA-P的第六AAA协议消息。S1614: The AAA-P may send a sixth AAA protocol message to the AAA-S according to the address of the AAA-S, so that the AAA-S can check whether the UE can implement the requested service on the requested network slice certified. Correspondingly, the AAA-S receives the sixth AAA protocol message from the AAA-P.

其中，所述第六AAA协议消息可以包括以下至少一项：所述EAP消息、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the sixth AAA protocol message may include at least one of the following: the EAP message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

可选的，所述AAA-S对所述UE是否能在请求网络切片上实现请求的业务进行认证的具体内容可以参考S502，此处不再赘述。Optionally, for details about whether the AAA-S authenticates whether the UE can implement the requested service on the requested network slice, reference may be made to S502 , which will not be repeated here.

S1615：所述AAA-S向所述AAA-P发送第七AAA协议消息。相应的，所述AAA-P接收来自所述AAA-S的所述第七AAA协议消息。S1615: The AAA-S sends a seventh AAA protocol message to the AAA-P. Correspondingly, the AAA-P receives the seventh AAA protocol message from the AAA-S.

其中，所述第七AAA协议消息可以包括以下至少一项：EAP成功/失败消息(EAP-Success/Failure message)、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the seventh AAA protocol message may include at least one of the following: EAP-Success/Failure message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

S1616：所述AAA-P向所述NSSAAF发送第八AAA协议消息。相应的，所述NSSAAF接收来自所述AAA-P的所述第八AAA协议消息。S1616: The AAA-P sends an eighth AAA protocol message to the NSSAAF. Correspondingly, the NSSAAF receives the eighth AAA protocol message from the AAA-P.

其中，所述第八AAA协议消息可以包括以下至少一项：EAP成功/失败消息、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the eighth AAA protocol message may include at least one of the following: EAP success/failure message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

S1617：所述NSSAAF向所述AMF发送第十认证响应(Nnssaaf_NSSAA_Authenticate Response)。相应的，所述AMF接收来自所述NSSAAF的所述第十认证响应。S1617: The NSSAAF sends a tenth authentication response (Nnssaaf_NSSAA_Authenticate Response) to the AMF. Correspondingly, the AMF receives the tenth authentication response from the NSSAAF.

其中，所述第十认证响应可以包括以下至少一项：EAP成功/失败消息、S-NSSAI、GPSI、与所述S-NSSAI关联的业务指示信息。Wherein, the tenth authentication response may include at least one of the following: EAP success/failure message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.

S1618：所述AMF向所述UE发送第五NAS MM传输消息。相应的，所述UE接收来自所述AMF的所述第五NAS MM传输消息。S1618: The AMF sends a fifth NAS MM transmission message to the UE. Correspondingly, the UE receives the fifth NAS MM transmission message from the AMF.

其中，所述第五NAS MM传输消息中可以包括：EAP成功/失败消息、S-NSSAI、与所述S-NSSAI关联的业务指示信息。Wherein, the fifth NAS MM transmission message may include: EAP success/failure message, S-NSSAI, and service indication information associated with the S-NSSAI.

可选的，所述AMF可以保存对每个S-NSSAI关联的网络切片的认证结果。Optionally, the AMF may save the authentication result of the network slice associated with each S-NSSAI.

S1619a：所述AMF发起UE配置更新流程。S1619a: The AMF initiates a UE configuration update procedure.

S1619b：所述AMF发起退订流程。S1619b: The AMF initiates an unsubscribe process.

在一些实现方式中，所述NSSAAF可以直接和所述AAA-S交互。在这种情况下，所述NSSAAF可以直接向AAA-S发送所述第一AAA协议消息和所述第五AAA协议消息，所述AAA-S可以直接向所述NSSAAF发送所述第三AAA协议消息和所述第七AAA协议消息。In some implementations, the NSSAAF may directly interact with the AAA-S. In this case, the NSSAAF may directly send the first AAA protocol message and the fifth AAA protocol message to the AAA-S, and the AAA-S may directly send the third AAA protocol message to the NSSAAF message and the seventh AAA protocol message.

通过图15和图16所示的方法，在网络切片认证流程中，AMF可以获得对所述UE是否能够在所述UE请求的网络切片上实现请求的业务进行认证的认证结果，根据所述认证结果，所述AMF所在的移动通信***可以为所述UE提供认证成功的业务，不为所述UE提供认证失败的业务，从而可以提高数据传输的安全性。Through the methods shown in Figure 15 and Figure 16, in the network slice authentication process, the AMF can obtain the authentication result of whether the UE can implement the requested service on the network slice requested by the UE, and according to the authentication As a result, the mobile communication system where the AMF is located can provide the UE with a service of successful authentication and not provide the UE with a service of failed authentication, thereby improving the security of data transmission.

在一些实现方式中，图15和16所示流程可以用于图12所示的方法中，在这种情况下，图12所示的方法会发生一些变化。下面仅对变化之处进行说明。In some implementations, the processes shown in Figures 15 and 16 can be used in the method shown in Figure 12, in this case, the method shown in Figure 12 will undergo some changes. Only the changes are described below.

S1201中，所述注册请求中可以包含：所述第一网络切片指示信息、所述第一业务指示信息。In S1201, the registration request may include: the first network slice indication information and the first service indication information.

S1203中，在接收到所述注册请求之后，所述第一AMF可以触发S1601中的所述网络切片认证流程。并执行图16的后续步骤。In S1203, after receiving the registration request, the first AMF may trigger the network slice authentication process in S1601. And execute the subsequent steps in Fig. 16 .

S1205a中，所述第一AMF可以根据以下至少一项，向所述UDM发送注册请求：对所述UE是否能够在所述第一网络切片上实现所述第一业务进行认证的结果、与所述认证结果关联的业务指示信息。In S1205a, the first AMF may send a registration request to the UDM according to at least one of the following: the result of authenticating whether the UE can implement the first service on the first network slice, and the The service indication information associated with the above authentication result.

可选的，所述注册请求中可以包含以下至少一项认证信息：所述UE的认证成功的网络切片的指示信息(例如，所述UE的认证成功的网络切片列表)、每个认证成功的网络切片关联的认证成功的业务的指示信息、每个认证成功的网络切片关联的所有业务的指示信息、每个认证成功的网络切片关联的所有业务的认证结果。然后，所述UDM可以将接收到的信息以及与其关联的所述第一AMF的身份信息存储在UDM或UDR中。Optionally, the registration request may include at least one piece of authentication information as follows: indication information of network slices that are successfully authenticated by the UE (for example, a list of network slices that are successfully authenticated by the UE), each successfully authenticated network slice list, Indication information of successfully authenticated services associated with network slices, indication information of all services associated with each successfully authenticated network slice, and authentication results of all services associated with each successfully authenticated network slice. Then, the UDM may store the received information and the identity information of the first AMF associated therewith in the UDM or UDR.

可以理解，所述第一AMF也可以将所述注册信息发给具有存储功能的其他通信设备，或者，在所述AMF本地存储所述注册信息。It can be understood that the first AMF may also send the registration information to other communication devices having a storage function, or store the registration information locally in the AMF.

S1205b中，所述第一AMF从所述UDM获取的签约信息可以指示以下至少之一：所述UE的认证成功的网络切片、与该网络切片关联的认证成功的业务。In S1205b, the subscription information acquired by the first AMF from the UDM may indicate at least one of the following: a successfully authenticated network slice of the UE, and a successfully authenticated service associated with the network slice.

S1207中，所述注册接受消息可以指示：所述UE在所述移动通信***中可以使用的网络切片、与所述网络切片关联的所述UE的业务。In S1207, the registration acceptance message may indicate: a network slice that the UE can use in the mobile communication system, and a service of the UE associated with the network slice.

可选的，所述UE在接收到所述注册接受消息之后，可以在本地保存所述UE可以使用的网络切片的指示信息以及与所述网络切片关联的业务的信息。Optionally, after receiving the registration acceptance message, the UE may store locally the indication information of the network slice that the UE can use and the service information associated with the network slice.

在一些实现方式中，在UE注册成功之后，所述UE的认证成功或认证失败的网络切片可能会发生变化，与网络切片关联的业务的认证结果也可能会发生变化。在这种情况下，所述移动通信***可能会对所述UE的网络切片的认证结果或业务的认证结果进行更新。下面结合图12对更新流程进行说明。In some implementation manners, after the UE is successfully registered, the network slice where the authentication succeeds or fails for the UE may change, and the authentication result of the service associated with the network slice may also change. In this case, the mobile communication system may update the UE's network slice authentication result or service authentication result. The update process will be described below with reference to FIG. 12 .

S1208中，所述认证更新信息可以用于指示以下至少之一：将所述UE的认证成功的网络切片变成认证失败的网络切片；所述UE的认证失败的网络切片变成认证成功的网络切片；所述UE新增的网络切片变成认证成功的网络切片；所述UE新增的网络切片变成认证失败的网络切片；所述网络切片关联的认证成功的业务变成所述网络切片关联的认证失败的业务；所述网络切片关联的认证失败的业务变成所述网络切片关联的认证成功的业务；所述网络切片关联的新增业务变成所述网络切片关联的认证成功的业务；或所述网络切片关联的新增业务变成所述网络切片关联的认证失败的业务。In S1208, the authentication update information may be used to indicate at least one of the following: change the UE's authentication-successful network slice to the authentication-failure network slice; the UE's authentication-failure network slice to the authentication-successful network slice Slicing; the network slice newly added by the UE becomes a network slice with successful authentication; the network slice newly added by the UE becomes a network slice with failed authentication; the service associated with the network slice with successful authentication becomes the network slice Associated authentication-failed services; authentication-failed services associated with the network slice become authentication-successful services associated with the network slice; new services associated with the network slice become authentication-successful associated with the network slice business; or the newly added business associated with the network slice becomes the authentication failure business associated with the network slice.

所述认证更新信息中可以包含以下至少之一：认证结果发生变化的网络切片的网络切片指示信息、认证结果发生变化的业务的业务指示信息。The authentication update information may include at least one of the following: network slice indication information of a network slice whose authentication result has changed, and service indication information of a service whose authentication result has changed.

S1210中，所述移动通信***执行后续UE配置更新流程，更新以下至少一项：所述UE的认证成功和/或认证失败的网络切片、与认证成功的网络切片关联的认证成功和/或认证失败的业务、与认证失败的网络切片关联的业务。In S1210, the mobile communication system executes a subsequent UE configuration update process to update at least one of the following: the network slice of the UE's authentication success and/or authentication failure, the authentication success and/or authentication associated with the authentication success network slice Failed services, services associated with network slices that failed authentication.

通过该方法，在注册流程中，AMF可以获得对所述UE是否能够在所述UE请求的网络切片上实现请求的业务进行认证的认证结果，根据所述认证结果，所述AMF所在的移动通信***可以为所述UE提供认证成功的业务，不为所述UE提供认证失败的业务，从而可以提高数据传输的安全性。Through this method, in the registration process, the AMF can obtain the authentication result of authenticating whether the UE can implement the requested service on the network slice requested by the UE. According to the authentication result, the mobile communication network where the AMF is located The system can provide the UE with a service of successful authentication, and not provide the UE with a service of failed authentication, thereby improving the security of data transmission.

在一些实现方式中，图13所示的方法也可以在图16所示流程用于图12所示的方法的基础上实现。在这种情况下，图13所示的方法会有一些变化，下面仅对变化之处进行说明。In some implementation manners, the method shown in FIG. 13 may also be implemented on the basis that the process shown in FIG. 16 is used for the method shown in FIG. 12 . In this case, there are some changes to the method shown in FIG. 13 , and only the changes will be described below.

在S1301中，PDU会话建立请求可以包括：所述UE请求的网络切片的网络切片指示信息、与每个网络切片关联的业务的业务指示信息。In S1301, the PDU session establishment request may include: network slice indication information of the network slice requested by the UE, and service indication information of services associated with each network slice.

在S1302中，所述AMF可以基于所述PDU会话建立请求中的网络切片指示信息和业务指示信息、以及所述UE的签约信息，选择SMF。In S1302, the AMF may select an SMF based on the network slice indication information and service indication information in the PDU session establishment request, and the subscription information of the UE.

其中，所述签约信息可以包含：所述UE在当前网络注册成功的网络切片的网络切片指示信息、与注册成功的所述网络切片关联的注册成功的业务的业务指示信息。Wherein, the subscription information may include: the network slice indication information of the network slice in which the UE has successfully registered in the current network, and the service indication information of the successfully registered service associated with the successfully registered network slice.

当所述UE请求的网络切片为所述UE在当前网络注册成功的网络切片，且所述UE请求的与所述注册成功的网络切片关联的业务为所述UE在当前网络注册成功的业务，则所述AMF可以接受所述PDU会话建立请求，并选择SMF进行后续的PDU会话建立流程，否则，所述AMF可以拒绝所述PDU会话建立请求。When the network slice requested by the UE is a network slice successfully registered by the UE in the current network, and the service associated with the successfully registered network slice requested by the UE is a service successfully registered by the UE in the current network, Then the AMF may accept the PDU session establishment request, and select an SMF to perform the subsequent PDU session establishment process, otherwise, the AMF may reject the PDU session establishment request.

当所述AMF拒绝所述PDU会话建立请求时，所述AMF可以反馈拒绝原因。其中，拒绝原因可以包括以下至少一项：业务未注册、业务未认证、网络切片未注册、网络切片未认证等。When the AMF rejects the PDU session establishment request, the AMF may feed back a reason for the rejection. Wherein, the rejection reason may include at least one of the following: service unregistered, service unauthenticated, network slice unregistered, network slice unauthenticated, and the like.

在另一些实现方式中，图13所示的方法也可以在图16所示流程用于图12所示的方法的基础上实现。在这种情况下，图13所示的方法会有一些变化，下面仅对变化之处进行说明。In some other implementation manners, the method shown in FIG. 13 may also be implemented on the basis that the process shown in FIG. 16 is used for the method shown in FIG. 12 . In this case, there are some changes to the method shown in FIG. 13 , and only the changes will be described below.

S1301中，PDU会话建立请求可以包括：所述UE请求的网络切片的网络切片指示信息、与每个网络切片关联的业务的业务指示信息。In S1301, the PDU session establishment request may include: network slice indication information of the network slice requested by the UE, and service indication information of services associated with each network slice.

S1303中，所述AMF发送给所述SMF的PDU会话建立请求可以包括：所述UE请求的网络切片的网络切片指示信息、与每个网络切片关联的业务的业务指示信息。In S1303, the PDU session establishment request sent by the AMF to the SMF may include: network slice indication information of the network slice requested by the UE, and service indication information of services associated with each network slice.

S1304中，所述SMF获取的所述UE的签约信息可以指示所述UE的注册成功的网络切片以及与所述网络切片关联的注册成功的业务。例如，所述UE的签约信息可以包括：所述UE的注册成功的网络切片的网络切片指示信息、和与注册成功的网络切片关联的注册成功的业务的业务指示信息。In S1304, the subscription information of the UE acquired by the SMF may indicate a successfully registered network slice of the UE and a successfully registered service associated with the network slice. For example, the subscription information of the UE may include: network slice indication information of a successfully registered network slice of the UE, and service indication information of a successfully registered service associated with the successfully registered network slice.

可选的，所述SMF可以但不限于根据以下至少一项，确定接受或拒绝所述PDU会话建立请求：所述请求的网络切片的网络切片指示信息、与请求的所述网络切片关联的业务的业务指示信息、所述签约信息。当所述UE请求的网络切片为所述UE注册成功的网络切片，且与所述UE请求的与注册成功的网络切片关联的业务为所述UE注册成功的业务时，所述SMF接受该PDU会话建立请求，并继续后续PDU会话建立流程；否则，所述SMF拒绝所述PDU会话建立请求。Optionally, the SMF may, but not limited to, determine to accept or reject the PDU session establishment request according to at least one of the following: network slice indication information of the requested network slice, service associated with the requested network slice The service instruction information and the subscription information. When the network slice requested by the UE is a network slice successfully registered by the UE, and the service associated with the successfully registered network slice requested by the UE is a service successfully registered by the UE, the SMF accepts the PDU session establishment request, and continue the subsequent PDU session establishment process; otherwise, the SMF rejects the PDU session establishment request.

当拒绝所述PDU会话建立请求时，所述SMF可以向所述AMF发送PDU会话建立的失败原因。所述失败原因可以包括：业务未注册、业务未认证、网络切片未注册、网络切片未认证。When rejecting the PDU session establishment request, the SMF may send the failure reason of the PDU session establishment to the AMF. The failure reasons may include: unregistered services, unauthenticated services, unregistered network slices, and unauthenticated network slices.

通过该方法，在会话建立流程中，所述移动通信***可以复用注册流程的认证结果，为所述UE建立受限的PDU会话。也就是说，所述移动通信***为所述UE认证成功的网络切片关联的注册成功的业务建立会话，不为认证失败的业务建立会话，从而可以为所述UE提供认证成功的业务，不为所述UE提供认证失败的业务，进而可以提高业务传输的安全性。Through this method, in the session establishment process, the mobile communication system can reuse the authentication result of the registration process to establish a limited PDU session for the UE. That is to say, the mobile communication system establishes a session for the successfully registered service associated with the network slice that the UE authenticates successfully, and does not establish a session for the service that fails the authentication, so that the UE can provide the service that is successfully authenticated, and does not create a session for the service that fails the authentication. The UE provides services for which the authentication fails, thereby improving the security of service transmission.

基于相同的技术构思，本申请还提供了一种通信装置，该装置的结构如图17所示，包括通信单元1701和处理单元1702。所述通信装置1700可以应用于图1至4所示的通信***中的AMF、SMF、AUSF、NSSAAF、UDM、或所述移动通信***之外的AAA-S，并可以实现以上本申请实施例以及实例提供的通信方法。下面对所述装置1700中的各个单元的功能进行介绍。Based on the same technical concept, the present application also provides a communication device, the structure of which is shown in FIG. 17 , including a communication unit 1701 and a processing unit 1702 . The communication device 1700 can be applied to AMF, SMF, AUSF, NSSAAF, UDM in the communication system shown in Figures 1 to 4, or AAA-S outside the mobile communication system, and can realize the above embodiments of the present application And the communication method provided by the example. The functions of each unit in the apparatus 1700 are introduced below.

所述通信单元1701，用于接收和发送数据。The communication unit 1701 is configured to receive and send data.

当所述通信装置1700应用于AMF、SMF、AUSF、NSSAAF、UDM、或所述移动通信***之外的AAA-S时，所述通信单元1701可以通过物理接口、通信模块、通信接口、输入输出接口实现。所述通信装置1700可以通过该通信单元连接网线或电缆，进而与其他设备建立物理连接。When the communication device 1700 is applied to AMF, SMF, AUSF, NSSAAF, UDM, or AAA-S outside the mobile communication system, the communication unit 1701 can use physical interfaces, communication modules, communication interfaces, input and output interface implementation. The communication device 1700 can be connected with a network cable or cable through the communication unit, and then establish a physical connection with other devices.

在一种实施方式中，所述通信装置1700应用于本申请实施例中的第一通信设备(例如，图5的第一通信设备，图8-图10、图12的第一AMF，图13的AMF或SMF)。其中，第二通信设备包括以下至少一种：AUSF、NSSAAF、UDM、或所述移动通信***之外的AAA-S。下面对该实施方式中的所述处理单元1702的具体功能进行介绍。In one embodiment, the communication apparatus 1700 is applied to the first communication device in the embodiment of the present application (for example, the first communication device in FIG. 5, the first AMF in FIG. 8-FIG. 10, FIG. AMF or SMF). Wherein, the second communication device includes at least one of the following: AUSF, NSSAAF, UDM, or AAA-S outside the mobile communication system. The specific functions of the processing unit 1702 in this embodiment will be introduced below.

所述处理单元1702具体用于：通过所述通信单元1701向所述第二通信设备发送第一请求；其中，所述第一请求可以包括第一业务指示信息，所述第一业务指示信息可以指示终端设备请求的第一业务，所述第一请求可以请求对所述终端设备是否能够实现所述第一业务进行认证；通过所述通信单元1701接收来自所述第二通信设备的第一响应；其中，所述第一响应可以包括所述第二通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的认证结果；根据所述认证结果，确定是否为所述终端设备提供所述第一业务。The processing unit 1702 is specifically configured to: send a first request to the second communication device through the communication unit 1701; wherein, the first request may include first service indication information, and the first service indication information may Indicating the first service requested by the terminal device, the first request may request authentication of whether the terminal device can implement the first service; receiving a first response from the second communication device through the communication unit 1701 ; Wherein, the first response may include an authentication result obtained by the second communication device authenticating whether the terminal device can implement the first service; according to the authentication result, determine whether to provide the terminal device with the first business.

可选的，所述处理单元1702具体用于：在向所述第二通信设备发送所述第一请求之前，通过所述通信单元1701接收来自第三通信设备的第二请求；其中，所述第二请求可以包括所述第一业务指示信息；所述第二请求可以为注册请求或第一会话建立请求。Optionally, the processing unit 1702 is specifically configured to: receive the second request from the third communication device through the communication unit 1701 before sending the first request to the second communication device; wherein, the The second request may include the first service indication information; the second request may be a registration request or a first session establishment request.

可选的，所述第一业务包含至少一个业务，所述认证结果包括：所述终端设备能够实现所述第一业务中的第二业务；当所述第二请求为所述注册请求时，所述第一通信设备为接入和移动管理功能AMF，所述第二通信设备为认证服务器功能AUSF和/或网络切片选择的认证和授权功能NSSAAF，所述第三通信设备为所述终端设备或所述终端设备接入的接入网AN设备；所述处理单元1702具体用于：Optionally, the first service includes at least one service, and the authentication result includes: the terminal device can implement a second service in the first service; when the second request is the registration request, The first communication device is an access and mobility management function AMF, the second communication device is an authentication server function AUSF and/or an authentication and authorization function NSSAAF selected by a network slice, and the third communication device is the terminal device Or the access network AN device accessed by the terminal device; the processing unit 1702 is specifically configured to:

在接收来自所述第二通信设备的第一响应之后，通过所述通信单元1701向统一数据管理UDM发送第一消息，其中，所述第一消息可以包括：用于指示所述第二业务的第二业务指示信息；After receiving the first response from the second communication device, the communication unit 1701 sends a first message to the unified data management UDM, where the first message may include: used to indicate the second service Second service instruction information;

通过所述通信单元1701接收来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求；其中，所述第二会话建立请求包括第三业务指示信息，所述第三业务指示信息用于指示所述终端设备请求执行的第三业务；The second session establishment request from the terminal device or the AN device accessed by the terminal device is received through the communication unit 1701; wherein, the second session establishment request includes third service indication information, and the third service The indication information is used to indicate the third service that the terminal device requests to execute;

根据所述第二会话建立请求，通过所述通信单元1701向SMF发送第三请求，其中，所述第三请求可以包括所述第三业务指示信息，所述第三请求可以请求所述SMF根据从所述UDM获取的所述第二业务指示信息和所述第三业务指示信息，接受或拒绝所述第二会话建立请求。According to the second session establishment request, the communication unit 1701 sends a third request to the SMF, where the third request may include the third service indication information, and the third request may request the SMF to Accept or reject the second session establishment request from the second service indication information and the third service indication information obtained from the UDM.

可选的，所述第一业务包含至少一个业务，所述认证结果包括：所述终端设备能够实现所述第一业务中的第二业务；当所述第二请求为所述注册请求时，所述第一通信设备为AMF，所述第二通信设备为AUSF和/或NSSAAF，所述第三通信设备为所述终端设备或所述终端设备接入的AN设备；所述处理单元1702具体用于：Optionally, the first service includes at least one service, and the authentication result includes: the terminal device can implement a second service in the first service; when the second request is the registration request, The first communication device is AMF, the second communication device is AUSF and/or NSSAAF, and the third communication device is the terminal device or an AN device accessed by the terminal device; the processing unit 1702 specifically Used for:

在接收来自所述第二通信设备的第一响应之后，保存用于指示所述第二业务的第二业务指示信息；After receiving the first response from the second communication device, saving the second service indication information used to indicate the second service;

通过所述通信单元1701接收来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求；其中，所述第二会话建立请求可以包括第三业务指示信息，所述第三业务指示信息可以指示所述终端设备请求执行的第三业务；The second session establishment request from the terminal device or the AN device accessed by the terminal device is received through the communication unit 1701; wherein, the second session establishment request may include third service indication information, and the third The service indication information may indicate the third service that the terminal device requests to execute;

当所述终端设备能够实现的所述第二业务中包含所述第三业务时，接受所述第二会话建立请求，否则，拒绝所述第二会话建立请求。When the second service that can be implemented by the terminal device includes the third service, accept the second session establishment request; otherwise, reject the second session establishment request.

可选的，当所述第二请求为所述注册请求时，所述第一通信设备为AMF，所述第二通信设备为NSSAAF，所述第三通信设备为所述终端设备或所述终端设备接入的AN设备，所述第二请求还包括：第一网络切片指示信息；其中，所述第一网络切片指示信息用于指示所述终端设备请求接入的第一网络切片；所述第一请求还包括：所述第一网络切片指示信息；所述认证结果为所述第二通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证得到的。Optionally, when the second request is the registration request, the first communication device is AMF, the second communication device is NSSAAF, and the third communication device is the terminal device or the terminal The AN device accessed by the device, the second request further includes: first network slice indication information; wherein the first network slice indication information is used to indicate the first network slice that the terminal device requests to access; the The first request further includes: the first network slice indication information; the authentication result is obtained by the second communication device authenticating whether the terminal device can implement the first service on the first network slice of.

可选的，所述第一业务包含至少一个业务，所述第一网络切片包括至少一个网络切片，所述认证结果包括：所述终端设备能够在所述第一网络切片中的第二网络切片上实现所述第一业务中的第四业务；所述处理单元1702具体用于：Optionally, the first service includes at least one service, the first network slice includes at least one network slice, and the authentication result includes: the terminal device can be in the second network slice in the first network slice implement the fourth service in the first service; the processing unit 1702 is specifically configured to:

在接收来自所述第二通信设备的第一响应之后，通过所述通信单元1701向UDM发送第二消息；其中，所述第二消息可以包括：第二网络切片指示信息和第四业务指示信息，其中，所述第二网络切片指示信息可以指示所述第二网络切片，所述第四业务指示信息可以指示所述终端设备能够在所述第二网络切片上实现的所述第四业务；After receiving the first response from the second communication device, send a second message to the UDM through the communication unit 1701; wherein, the second message may include: second network slice indication information and fourth service indication information , wherein the second network slice indication information may indicate the second network slice, and the fourth service indication information may indicate the fourth service that the terminal device can implement on the second network slice;

通过所述通信单元1701接收来自所述终端设备或所述终端设备接入的AN设备的第三会话建立请求；其中，所述第三会话建立请求可以包括第三网络切片指示信息和第五业务指示信息，其中，所述第三网络切片指示信息可以指示第三网络切片，所述第五业务指示信息可以指示所述终端设备请求在所述第三网络切片上执行的第五业务；Receive a third session establishment request from the terminal device or the AN device accessed by the terminal device through the communication unit 1701; wherein, the third session establishment request may include third network slice indication information and a fifth service indication information, wherein the third network slice indication information may indicate a third network slice, and the fifth service indication information may indicate that the terminal device requests a fifth service executed on the third network slice;

根据所述第三会话建立请求，通过所述通信单元1701向SMF发送第四请求，其中，所述第四请求可以包括所述第三网络切片指示信息和所述第五业务指示信息，所述第四请求可以请求所述SMF根据从所述UDM获取的所述第二网络切片指示信息和第四业务指示信息、以及所述第三网络切片指示信息和所述第五业务指示信息，接受或拒绝所述第二会话建立请求。According to the third session establishment request, send a fourth request to the SMF through the communication unit 1701, where the fourth request may include the third network slice indication information and the fifth service indication information, the The fourth request may request the SMF to accept or rejecting the second session establishment request.

在接收来自所述第二通信设备的第一响应之后，保存第二网络切片指示信息和第四业务指示信息，其中，所述第二网络切片指示信息可以指示所述第二网络切片，所述第四业务指示信息可以指示所述终端设备能够在所述第二网络切片上实现的所述第四业务；After receiving the first response from the second communication device, save the second network slice indication information and the fourth service indication information, where the second network slice indication information may indicate the second network slice, the The fourth service indication information may indicate the fourth service that the terminal device can implement on the second network slice;

通过所述通信单元1701接收来自所述终端设备或所述终端设备接入的AN设备的第三会话建立请求；其中，所述第三会话建立请求包括第三网络切片指示信息和第五业务指示信息，其中，所述第三网络切片指示信息用于指示第三网络切片，所述第五业务指示信息用于指示所述终端设备请求在所述第三网络切片上执行的第五业务；Receive a third session establishment request from the terminal device or the AN device accessed by the terminal device through the communication unit 1701; wherein, the third session establishment request includes third network slice indication information and a fifth service indication information, wherein the third network slice indication information is used to indicate a third network slice, and the fifth service indication information is used to indicate that the terminal device requests a fifth service executed on the third network slice;

当所述第二网络切片包含所述第三网络切片，且所述第四业务包含所述第五业务时，接受所述第三会话建立请求，否则，拒绝所述第三会话建立请求。When the second network slice includes the third network slice and the fourth service includes the fifth service, accept the third session establishment request; otherwise, reject the third session establishment request.

可选的，第二请求还包括以下至少一项：第一指示信息、第二指示信息，其中，所述第一指示信息用于指示需要对所述终端设备是否能够实现所述第一业务进行认证，所述第二指示信息用于指示执行认证处理的通信设备。Optionally, the second request further includes at least one of the following: first indication information and second indication information, wherein the first indication information is used to indicate whether the terminal device can implement the first service. Authentication, where the second indication information is used to indicate the communication device performing the authentication process.

可选的，所述处理单元1702具体用于：当所述第一通信设备为AMF或SMF时，在向第二通信设备发送第一请求之前，根据所述第一业务指示信息，确定所述第二通信设备；其中，所述第二通信设备为AUSF、NSSAAF、UDM或所述移动通信***之外的AAA服务器中的至少一项。Optionally, the processing unit 1702 is specifically configured to: when the first communication device is AMF or SMF, before sending the first request to the second communication device, according to the first service indication information, determine the A second communication device; wherein, the second communication device is at least one of AUSF, NSSAAF, UDM, or an AAA server outside the mobile communication system.

可选的，所述处理单元1702具体用于：当所述第一通信设备为AMF或SMF时，在接收来自所述第二通信设备的第一响应之后，根据所述认证结果，通过所述通信单元1701向所述终端设备发送第三消息；其中，所述第三消息包含以下至少一项：Optionally, the processing unit 1702 is specifically configured to: when the first communication device is AMF or SMF, after receiving the first response from the second communication device, according to the authentication result, pass the The communication unit 1701 sends a third message to the terminal device; where the third message includes at least one of the following:

可选的，所述处理单元1702具体用于：当所述第一通信设备为AMF时，在接收来自所述第二通信设备的第一响应之后，通过所述通信单元1701向所述终端设备发送第四消息；其中，所述第四消息用于触发所述终端设备根据本地存储的认证信息，对所述终端设备是否能在所述移动通信***中实现所述第一业务进行认证，所述认证信息包括业务的认证信息。Optionally, the processing unit 1702 is specifically configured to: when the first communication device is an AMF, send a message to the terminal device through the communication unit 1701 after receiving the first response from the second communication device sending a fourth message; wherein, the fourth message is used to trigger the terminal device to authenticate whether the terminal device can implement the first service in the mobile communication system according to locally stored authentication information, so The above authentication information includes service authentication information.

可选的，所述第一业务指示信息包括以下至少一项：所述第一业务的标识、所述第一业务的类型的指示信息、所述第一业务的提供商的指示信息。Optionally, the first service indication information includes at least one of the following: an identifier of the first service, indication information of a type of the first service, and indication information of a provider of the first service.

在一种实施方式中，所述通信装置1700应用于本申请实施例中的第二通信设备(例如，图5的第二通信设备，图8的AUSF和/或UDM，图9的AUSF和/或UDM/ARPF，图10的NSSAAF和/或AAA-S，图12的AUSF和/或UDM，图13的DN中的AAA-S，图16中的NSSAAF和/或AAA-S)中，第一通信设备可以包括以下至少一种：AMF、SMF。下面对该实施方式中的所述处理单元1702的具体功能进行介绍。In one embodiment, the communication apparatus 1700 is applied to the second communication device in the embodiment of the present application (for example, the second communication device in FIG. 5, the AUSF and/or UDM in FIG. 8, the AUSF and/or UDM in FIG. 9 or UDM/ARPF, NSSAAF and/or AAA-S in Figure 10, AUSF and/or UDM in Figure 12, AAA-S in DN in Figure 13, NSSAAF and/or AAA-S in Figure 16), the first A communication device may include at least one of the following: AMF, SMF. The specific functions of the processing unit 1702 in this embodiment will be introduced below.

所述处理单元1702用于：The processing unit 1702 is used for:

通过通信单元1701接收来自移动通信***中的第一通信设备的第一请求；其中，所述第一请求包括第一业务指示信息，所述第一业务指示信息用于指示终端设备请求的第一业务，所述第一请求用于请求对终端设备是否能够实现所述第一业务进行认证；The first request from the first communication device in the mobile communication system is received through the communication unit 1701; wherein, the first request includes first service indication information, and the first service indication information is used to indicate the first request requested by the terminal device. service, the first request is used to request authentication of whether the terminal device can implement the first service;

对所述终端设备是否能够实现所述第一业务进行认证；Authenticating whether the terminal device can implement the first service;

通过通信单元1701向所述第一通信设备发送第一响应；其中，所述第一响应包括所述第二通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的第一认证结果，所述第一认证结果用于所述第一通信设备确定是否为所述终端设备提供所述第一业务。Send a first response to the first communication device through the communication unit 1701; wherein, the first response includes the first authentication obtained by the second communication device authenticating whether the terminal device can implement the first service As a result, the first authentication result is used by the first communication device to determine whether to provide the first service for the terminal device.

可选的，所述处理单元1702具体用于：Optionally, the processing unit 1702 is specifically configured to:

通过通信单元1701向第四通信设备发送第五请求；其中，所述第五请求包括：所述第一业务指示信息，所述第五请求用于请求所述第四通信设备对所述终端设备是否能够实现所述第一业务进行认证；Send a fifth request to the fourth communication device through the communication unit 1701; wherein, the fifth request includes: the first service indication information, and the fifth request is used to request the fourth communication device to send the terminal device Whether the first service can be realized for authentication;

通过通信单元1701接收来自所述第四通信设备的第五响应；其中，所述第五响应包括第四通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的第二认证结果；Receive a fifth response from the fourth communication device through the communication unit 1701; wherein, the fifth response includes a second authentication result obtained by the fourth communication device authenticating whether the terminal device can implement the first service ;

根据所述第二认证结果，对所述终端设备是否能够实现所述第一业务进行认证，得到所述第一认证结果。Authenticating whether the terminal device can implement the first service according to the second authentication result, to obtain the first authentication result.

当所述第一请求还包括：第一网络切片指示信息时，对所述终端设备是否能在所述第一网络切片上实现所述第一业务进行认证，其中，所述第一网络切片指示信息用于指示所述终端设备请求接入的第一网络切片；所述第一认证结果为所述第二通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证得到的。When the first request further includes: first network slice indication information, authenticate whether the terminal device can implement the first service on the first network slice, wherein the first network slice indication The information is used to indicate the first network slice that the terminal device requests to access; the first authentication result is whether the second communication device can implement the first network slice on the first network slice to the terminal device. The business is certified.

通过通信单元1701向第四通信设备发送第六请求；其中，所述第六请求包括：所述第一网络切片指示信息和所述第一业务指示信息，所述第六请求用于请求所述第四通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证；Send a sixth request to the fourth communication device through the communication unit 1701; wherein, the sixth request includes: the first network slice indication information and the first service indication information, and the sixth request is used to request the The fourth communication device authenticates whether the terminal device can implement the first service on the first network slice;

通过通信单元1701接收来自所述第四通信设备的第六响应；其中，所述第六响应包括第四通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证得到的第二认证结果；Receive a sixth response from the fourth communication device through the communication unit 1701; wherein the sixth response includes whether the terminal device can implement the first service on the first network slice from the fourth communication device the second authentication result obtained from the authentication;

可选的，所述第二通信设备为认证服务器功能AUSF，所述第四通信设备为UDM；或者，所述第二通信设备为网络切片选择的认证和授权功能NSSAAF，所述第四通信设备为所述移动通信***之外的认证授权计费AAA服务器。Optionally, the second communication device is an authentication server function AUSF, and the fourth communication device is a UDM; or, the second communication device is an authentication and authorization function NSSAAF selected by a network slice, and the fourth communication device The AAA server is authorized and charged for authentication outside the mobile communication system.

可选的，所述处理单元1702具体用于：根据本地存储的认证信息，对所述终端设备是否能在所述移动通信***中实现所述第一业务进行认证，所述认证信息包括业务的认证信息。Optionally, the processing unit 1702 is specifically configured to: authenticate whether the terminal device can implement the first service in the mobile communication system according to locally stored authentication information, the authentication information including service Certification Information.

需要说明的是，本申请以上实施例中对模块的划分是示意性的，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，另外，在本申请各个实施例中的各功能单元可以集成在一个处理单元中，也可以是单独物理存在，也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现，也可以采用软件功能单元的形式实现。It should be noted that the division of modules in the above embodiments of the present application is schematic, and is only a logical function division. In actual implementation, there may be other division methods. In addition, each function in each embodiment of the present application Units can be integrated into one processing unit, or physically exist separately, or two or more units can be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)或处理器(processor)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(Read-Only Memory，ROM)、随机存取存储器(Random Access Memory，RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disc and other media that can store program codes. .

基于相同的技术构思，本申请还提供了一种通信设备，所述通信设备可以应用于如图1-4所示的通信***中的AMF、SMF、AUSF、NSSAAF、UDM、或所述移动通信***之外的AAA-S，可以实现以上本申请实施例以及实例提供的通信方法，具有图17所示的通信装置的功能。参阅图18所示，所述通信设备1800包括：通信模块1801、处理器1802以及存储器1803。其中，所述通信模块1801、所述处理器1802以及所述存储器1803之间相互连接。Based on the same technical idea, this application also provides a communication device, which can be applied to AMF, SMF, AUSF, NSSAAF, UDM, or the mobile communication system in the communication system shown in Figures 1-4. The AAA-S outside the system can implement the communication methods provided in the above embodiments and examples of this application, and have the functions of the communication device shown in FIG. 17 . Referring to FIG. 18 , the communication device 1800 includes: a communication module 1801 , a processor 1802 and a memory 1803 . Wherein, the communication module 1801, the processor 1802 and the memory 1803 are connected to each other.

可选的，所述通信模块1801、所述处理器1802以及所述存储器1803之间通过总线1804相互连接。所述总线1804可以是外设部件互连标准(peripheral component interconnect，PCI)总线或扩展工业标准结构(extended industry standard architecture，EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示，图18中仅用一条粗线表示，但并不表示仅有一根总线或一种类型的总线。Optionally, the communication module 1801 , the processor 1802 and the memory 1803 are connected to each other through a bus 1804 . The bus 1804 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus or the like. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 18 , but it does not mean that there is only one bus or one type of bus.

所述通信模块1801，用于接收和发送数据，实现与其他设备之间的通信交互。例如，当所述通信设备1800应用于AMF、SMF、AUSF、NSSAAF、UDM、或所述移动通信***之外的AAA-S(在所述AN设备与核心网中的网元进行交互的场景下)时，所述通信模块1801可以通过物理接口、通信模块、通信接口、输入输出接口实现。The communication module 1801 is used to receive and send data to realize communication interaction with other devices. For example, when the communication device 1800 is applied to AMF, SMF, AUSF, NSSAAF, UDM, or AAA-S outside the mobile communication system (in the scenario where the AN device interacts with network elements in the core network ), the communication module 1801 may be implemented through a physical interface, a communication module, a communication interface, and an input/output interface.

在一种实施方式中，所述通信设备1800应用于本申请实施例中的第一通信设备(例如，图5的第一通信设备，图8-图10、图12的第一AMF，图13的AMF或SMF)。其中，第二通信设备包括以下至少一种：AUSF、NSSAAF、UDM、或所述移动通信***之外的AAA-S。所述处理器1802具体用于：In one embodiment, the communication device 1800 is applied to the first communication device in the embodiment of the present application (for example, the first communication device in FIG. 5, the first AMF in FIGS. AMF or SMF). Wherein, the second communication device includes at least one of the following: AUSF, NSSAAF, UDM, or AAA-S outside the mobile communication system. The processor 1802 is specifically used for:

向所述第二通信设备发送第一请求；其中，所述第一请求可以包括第一业务指示信息，所述第一业务指示信息可以指示终端设备请求的第一业务，所述第一请求可以请求对所述终端设备是否能够实现所述第一业务进行认证；接收来自所述第二通信设备的第一响应；其中，所述第一响应可以包括所述第二通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的认证结果；根据所述认证结果，确定是否为所述终端设备提供所述第一业务。sending a first request to the second communication device; wherein the first request may include first service indication information, the first service indication information may indicate the first service requested by the terminal device, and the first request may requesting authentication of whether the terminal device can implement the first service; receiving a first response from the second communication device; wherein, the first response may include An authentication result obtained by performing authentication on the first service can be realized; and determining whether to provide the first service for the terminal device according to the authentication result.

在一种实施方式中，所述通信设备1800应用于本申请实施例中的第二通信设备(例如，图5的第二通信设备，图8的AUSF和/或UDM，图9的AUSF和/或UDM/ARPF，图10的NSSAAF和/或AAA-S，图12的AUSF和/或UDM，图13的DN中的AAA-S，图16中的NSSAAF和/或AAA-S)中，第一通信设备可以包括以下至少一种：AMF、SMF。所述处理器1802具体用于：In one embodiment, the communication device 1800 is applied to the second communication device in the embodiment of the present application (for example, the second communication device in FIG. 5, the AUSF and/or UDM in FIG. 8, the AUSF and/or UDM in FIG. 9 or UDM/ARPF, NSSAAF and/or AAA-S in Figure 10, AUSF and/or UDM in Figure 12, AAA-S in DN in Figure 13, NSSAAF and/or AAA-S in Figure 16), the first A communication device may include at least one of the following: AMF, SMF. The processor 1802 is specifically used for:

接收来自移动通信***中的第一通信设备的第一请求；其中，所述第一请求包括第一业务指示信息，所述第一业务指示信息用于指示终端设备请求的第一业务，所述第一请求用于请求对终端设备是否能够实现所述第一业务进行认证；receiving a first request from a first communication device in a mobile communication system; wherein, the first request includes first service indication information, and the first service indication information is used to indicate a first service requested by a terminal device, the The first request is used to request authentication on whether the terminal device can implement the first service;

向所述第一通信设备发送第一响应；其中，所述第一响应包括所述第二通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的第一认证结果，所述第一认证结果用于所述第一通信设备确定是否为所述终端设备提供所述第一业务。sending a first response to the first communication device; wherein the first response includes a first authentication result obtained by the second communication device authenticating whether the terminal device can implement the first service, the The first authentication result is used by the first communication device to determine whether to provide the first service for the terminal device.

所述处理器1802的具体功能可以参考以上本申请实施例以及实例提供的通信方法中的描述，以及图17所示本申请实施例中对所述通信装置1700的具体功能描述，此处不再赘述。For the specific functions of the processor 1802, please refer to the descriptions in the above embodiments of the application and the communication methods provided in the examples, as well as the specific function description of the communication device 1700 in the embodiment of the application shown in FIG. 17 , which will not be repeated here. repeat.

所述存储器1803，用于存放程序指令和数据等。具体地，程序指令可以包括程序代码，该程序代码包括计算机操作指令。存储器1803可能包含随机存取存储器(random access memory，RAM)，也可能还包括非易失性存储器(non-volatile memory)，例如至少一个磁盘存储器。处理器1802执行存储器1803所存放的程序指令，并使用所述存储器1803中存储的数据，实现上述功能，从而实现上述本申请实施例提供的通信方法。The memory 1803 is used to store program instructions and data. Specifically, the program instructions may include program codes including computer operation instructions. The memory 1803 may include a random access memory (random access memory, RAM), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The processor 1802 executes the program instructions stored in the memory 1803, and uses the data stored in the memory 1803 to implement the above functions, thereby realizing the communication method provided by the above embodiments of the present application.

可以理解，本申请图18中的存储器1803可以是易失性存储器或非易失性存储器，或可包括易失性和非易失性存储器两者。其中，非易失性存储器可以是只读存储器(Read-Only Memory，ROM)、可编程只读存储器(Programmable ROM，PROM)、可擦除可编程只读存储器(Erasable PROM，EPROM)、电可擦除可编程只读存储器(Electrically EPROM，EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory，RAM)，其用作外部高速缓存。通过示例性但不是限制性说明，许多形式的RAM可用，例如静态随机存取存储器(Static RAM，SRAM)、动态随机存取存储器(Dynamic RAM，DRAM)、同步动态随机存取存储器(Synchronous DRAM，SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM，DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM，ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM，SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM，DR RAM)。应注意，本文描述的***和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory 1803 in FIG. 18 of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories. Among them, the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electronically programmable Erase Programmable Read-Only Memory (Electrically EPROM, EEPROM) or Flash. The volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (Static RAM, SRAM), Dynamic Random Access Memory (Dynamic RAM, DRAM), Synchronous Dynamic Random Access Memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (Synchlink DRAM, SLDRAM ) and Direct Memory Bus Random Access Memory (Direct Rambus RAM, DR RAM). It should be noted that the memory of the systems and methods described herein is intended to include, but not be limited to, these and any other suitable types of memory.

基于以上实施例，本申请实施例还提供了一种计算机程序，当所述计算机程序在计算机上运行时，使得所述计算机执行以上实施例提供的通信方法。Based on the above embodiments, an embodiment of the present application further provides a computer program that, when the computer program is run on a computer, causes the computer to execute the communication method provided by the above embodiments.

基于以上实施例，本申请实施例还提供了一种计算机可读存储介质，该计算机可读存储介质中存储有计算机程序，所述计算机程序被计算机执行时，使得计算机执行以上实施例提供的通信方法。Based on the above embodiments, the embodiments of the present application also provide a computer-readable storage medium, in which a computer program is stored. When the computer program is executed by a computer, the computer executes the communication provided by the above embodiments. method.

其中，存储介质可以是计算机能够存取的任何可用介质。以此为例但不限于：计算机可读介质可以包括RAM、ROM、EEPROM、CD-ROM或其他光盘存储、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质。Wherein, the storage medium may be any available medium that can be accessed by a computer. By way of example but not limitation: computer-readable media may include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage media or other magnetic storage devices, or may be used to carry or store information in the form of instructions or data structures desired program code and any other medium that can be accessed by a computer.

基于以上实施例，本申请实施例还提供了一种芯片，所述芯片用于读取存储器中存储的计算机程序，实现以上实施例提供的通信方法。Based on the above embodiments, the embodiments of the present application further provide a chip, the chip is configured to read a computer program stored in a memory, and implement the communication method provided by the above embodiments.

基于以上实施例，本申请实施例提供了一种芯片***，该芯片***包括处理器，用于支持计算机装置实现以上实施例中业务设备、转发设备或站点设备所涉及的功能。在一种可能的设计中，所述芯片***还包括存储器，所述存储器用于保存该计算机装置必要的程序和数据。该芯片***，可以由芯片构成，也可以包含芯片和其他分立器件。Based on the above embodiments, an embodiment of the present application provides a chip system, the chip system includes a processor, configured to support a computer device to implement the functions involved in the service device, forwarding device, or site device in the above embodiments. In a possible design, the chip system further includes a memory, and the memory is used to store necessary programs and data of the computer device. The system-on-a-chip may consist of chips, or may include chips and other discrete devices.

综上所述，本申请实施例提供了一种通信方法、装置及***，在该方法中，移动通信***中的第一通信设备可以通过向第二通信设备发送第一请求来请求对所述终端设备是否能够实现第一业务进行认证；在接收到来自所述第二通信设备的认证结果之后，所述第一通信设备可以根据所述认证结果，确定是否为所述终端设备提供所述第一业务。通过该方案，所述第一通信设备可以获得对终端设备是否能够实现请求的业务进行认证的认证结果，根据所述认证结果，所述第一通信设备所在的移动通信***可以为所述终端设备提供认证成功的业务，不为所述终端设备提供认证失败的业务，从而可以提高数据传输的安全性。To sum up, the embodiment of the present application provides a communication method, device and system, in this method, the first communication device in the mobile communication system can send a first request to the second communication device to request Whether the terminal device can implement the first service for authentication; after receiving the authentication result from the second communication device, the first communication device may determine whether to provide the second communication device for the terminal device according to the authentication result. a business. Through this solution, the first communication device can obtain an authentication result for authenticating whether the terminal device can realize the requested service, and according to the authentication result, the mobile communication system where the first communication device is located can be the terminal device The service of successful authentication is provided, and the service of failed authentication is not provided to the terminal device, so that the security of data transmission can be improved.

在本申请的各个实施例中，如果没有特殊说明以及逻辑冲突，不同的实施例之间的术语和/或描述具有一致性、且可以相互引用，不同的实施例中的技术特征根据其内在的逻辑关系可以组合形成新的实施例。In each embodiment of the present application, if there is no special explanation and logical conflict, the terms and/or descriptions between different embodiments are consistent and can be referred to each other, and the technical features in different embodiments are based on their inherent Logical relationships can be combined to form new embodiments.

本领域内的技术人员应明白，本申请的实施例可提供为方法、***、或计算机程序产品。因此，本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且，本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请的方法、设备(***)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

显然，本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样，倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内，则本申请也意图包含这些改动和变型在内。Apparently, those skilled in the art can make various changes and modifications to the present application without departing from the scope of the present application. In this way, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalent technologies, the present application is also intended to include these modifications and variations.

Claims

一种通信方法，其特征在于，应用于移动通信***中的第一通信设备，所述方法包括：A communication method, characterized in that it is applied to a first communication device in a mobile communication system, the method comprising:

向第二通信设备发送第一请求；其中，所述第一请求包括第一业务指示信息，所述第一业务指示信息用于指示终端设备请求的第一业务，所述第一请求用于请求对所述终端设备是否能够实现所述第一业务进行认证；Sending a first request to the second communication device; wherein, the first request includes first service indication information, the first service indication information is used to indicate the first service requested by the terminal device, and the first request is used to request Authenticating whether the terminal device can implement the first service;

接收来自所述第二通信设备的第一响应；其中，所述第一响应包括所述第二通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的认证结果；receiving a first response from the second communication device; wherein the first response includes an authentication result obtained by the second communication device authenticating whether the terminal device can implement the first service;

根据所述认证结果，确定是否为所述终端设备提供所述第一业务。Determine whether to provide the first service for the terminal device according to the authentication result.
根据权利要求1所述的方法，其特征在于，在向所述第二通信设备发送所述第一请求之前，所述方法还包括：The method according to claim 1, wherein before sending the first request to the second communication device, the method further comprises:

接收来自第三通信设备的第二请求；其中，所述第二请求包括所述第一业务指示信息；所述第二请求为注册请求或第一会话建立请求。Receive a second request from a third communication device; wherein, the second request includes the first service indication information; and the second request is a registration request or a first session establishment request.
根据权利要求2所述的方法，其特征在于，所述第一业务包含至少一个业务，所述认证结果包括：所述终端设备能够实现所述第一业务中的第二业务；当所述第二请求为所述注册请求时，所述第一通信设备为接入和移动管理功能AMF，所述第二通信设备为认证服务器功能AUSF和/或网络切片选择的认证和授权功能NSSAAF，所述第三通信设备为所述终端设备或所述终端设备接入的接入网AN设备；在接收来自所述第二通信设备的第一响应之后，所述方法还包括：The method according to claim 2, wherein the first service includes at least one service, and the authentication result includes: the terminal device can realize the second service in the first service; when the first service When the second request is the registration request, the first communication device is the access and mobility management function AMF, the second communication device is the authentication server function AUSF and/or the authentication and authorization function NSSAAF selected by the network slice, the The third communication device is the terminal device or the access network AN device accessed by the terminal device; after receiving the first response from the second communication device, the method further includes:

向统一数据管理UDM发送第一消息，其中，所述第一消息包括：用于指示所述第二业务的第二业务指示信息；Sending a first message to UDM, where the first message includes: second service indication information used to indicate the second service;

接收来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求；其中，所述第二会话建立请求包括第三业务指示信息，所述第三业务指示信息用于指示所述终端设备请求执行的第三业务；receiving a second session establishment request from the terminal device or the AN device accessed by the terminal device; wherein, the second session establishment request includes third service indication information, and the third service indication information is used to indicate the the third service requested by the terminal device;

根据所述第二会话建立请求，向SMF发送第三请求，其中，所述第三请求包括所述第三业务指示信息，所述第三请求用于请求所述SMF根据从所述UDM获取的所述第二业务指示信息和所述第三业务指示信息，接受或拒绝所述第二会话建立请求。According to the second session establishment request, send a third request to the SMF, where the third request includes the third service indication information, and the third request is used to request the SMF to The second service indication information and the third service indication information accept or reject the second session establishment request.
根据权利要求2所述的方法，其特征在于，所述第一业务包含至少一个业务，所述认证结果包括：所述终端设备能够实现所述第一业务中的第二业务；当所述第二请求为所述注册请求时，所述第一通信设备为AMF，所述第二通信设备为AUSF和/或NSSAAF，所述第三通信设备为所述终端设备或所述终端设备接入的AN设备；在接收来自所述第二通信设备的第一响应之后，所述方法还包括：The method according to claim 2, wherein the first service includes at least one service, and the authentication result includes: the terminal device can realize the second service in the first service; when the first service When the second request is the registration request, the first communication device is AMF, the second communication device is AUSF and/or NSSAAF, and the third communication device is the terminal device or the terminal device accessed AN device; after receiving the first response from the second communication device, the method further includes:

保存用于指示所述第二业务的第二业务指示信息；saving the second service indication information used to indicate the second service;

接收来自所述终端设备或所述终端设备接入的AN设备的第二会话建立请求；其中，所述第二会话建立请求包括第三业务指示信息，所述第三业务指示信息用于指示所述终端设备请求执行的第三业务；receiving a second session establishment request from the terminal device or the AN device accessed by the terminal device; wherein, the second session establishment request includes third service indication information, and the third service indication information is used to indicate the the third service requested by the terminal device;

当所述终端设备能够实现的所述第二业务中包含所述第三业务时，接受所述第二会话建立请求，否则，拒绝所述第二会话建立请求。When the second service that can be implemented by the terminal device includes the third service, accept the second session establishment request; otherwise, reject the second session establishment request.
根据权利要求2所述的方法，其特征在于，当所述第二请求为所述注册请求时，所述第一通信设备为AMF，所述第二通信设备为NSSAAF，所述第三通信设备为所述终端设备或所述终端设备接入的AN设备，所述第二请求还包括：第一网络切片指示信息；其中，所述第一网络切片指示信息用于指示所述终端设备请求接入的第一网络切片；The method according to claim 2, wherein when the second request is the registration request, the first communication device is AMF, the second communication device is NSSAAF, and the third communication device For the terminal device or the AN device accessed by the terminal device, the second request further includes: first network slice indication information; wherein the first network slice indication information is used to indicate that the terminal device requests to access The first network slice imported;

所述第一请求还包括：所述第一网络切片指示信息；The first request further includes: the first network slice indication information;

所述认证结果为所述第二通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证得到的。The authentication result is obtained by the second communication device authenticating whether the terminal device can implement the first service on the first network slice.
根据权利要求5所述的方法，其特征在于，所述第一业务包含至少一个业务，所述第一网络切片包括至少一个网络切片，所述认证结果包括：所述终端设备能够在所述第一网络切片中的第二网络切片上实现所述第一业务中的第四业务；在接收来自所述第二通信设备的第一响应之后，所述方法还包括：The method according to claim 5, wherein the first service includes at least one service, the first network slice includes at least one network slice, and the authentication result includes: the terminal device can Implementing the fourth service in the first service on a second network slice in a network slice; after receiving the first response from the second communication device, the method further includes:

向UDM发送第二消息；其中，所述第二消息包括：第二网络切片指示信息和第四业务指示信息，其中，所述第二网络切片指示信息用于指示所述第二网络切片，所述第四业务指示信息用于指示所述终端设备能够在所述第二网络切片上实现的所述第四业务；sending a second message to the UDM; where the second message includes: second network slice indication information and fourth service indication information, where the second network slice indication information is used to indicate the second network slice, the The fourth service indication information is used to indicate the fourth service that the terminal device can implement on the second network slice;

接收来自所述终端设备或所述终端设备接入的AN设备的第三会话建立请求；其中，所述第三会话建立请求包括第三网络切片指示信息和第五业务指示信息，其中，所述第三网络切片指示信息用于指示第三网络切片，所述第五业务指示信息用于指示所述终端设备请求在所述第三网络切片上执行的第五业务；receiving a third session establishment request from the terminal device or an AN device accessed by the terminal device; wherein the third session establishment request includes third network slice indication information and fifth service indication information, wherein the The third network slice indication information is used to indicate a third network slice, and the fifth service indication information is used to indicate that the terminal device requests a fifth service executed on the third network slice;

根据所述第三会话建立请求，向SMF发送第四请求，其中，所述第四请求包括所述第三网络切片指示信息和所述第五业务指示信息，所述第四请求用于请求所述SMF根据从所述UDM获取的所述第二网络切片指示信息和第四业务指示信息、以及所述第三网络切片指示信息和所述第五业务指示信息，接受或拒绝所述第二会话建立请求。According to the third session establishment request, send a fourth request to the SMF, where the fourth request includes the third network slice indication information and the fifth service indication information, and the fourth request is used to request the The SMF accepts or rejects the second session according to the second network slice indication information and the fourth service indication information obtained from the UDM, as well as the third network slice indication information and the fifth service indication information Create a request.
根据权利要求5所述的方法，其特征在于，所述第一业务包含至少一个业务，所述第一网络切片包括至少一个网络切片，所述认证结果包括：所述终端设备能够在所述第一网络切片中的第二网络切片上实现所述第一业务中的第四业务；在接收来自所述第二通信设备的第一响应之后，所述方法还包括：The method according to claim 5, wherein the first service includes at least one service, the first network slice includes at least one network slice, and the authentication result includes: the terminal device can Implementing the fourth service in the first service on a second network slice in a network slice; after receiving the first response from the second communication device, the method further includes:

保存第二网络切片指示信息和第四业务指示信息，其中，所述第二网络切片指示信息用于指示所述第二网络切片，所述第四业务指示信息用于指示所述终端设备能够在所述第二网络切片上实现的所述第四业务；saving the second network slice indication information and the fourth service indication information, wherein the second network slice indication information is used to indicate the second network slice, and the fourth service indication information is used to indicate that the terminal device can The fourth service implemented on the second network slice;

接收来自所述终端设备或所述终端设备接入的AN设备的第三会话建立请求；其中，所述第三会话建立请求包括第三网络切片指示信息和第五业务指示信息，其中，所述第三网络切片指示信息用于指示第三网络切片，所述第五业务指示信息用于指示所述终端设备请求在所述第三网络切片上执行的第五业务；receiving a third session establishment request from the terminal device or an AN device accessed by the terminal device; wherein the third session establishment request includes third network slice indication information and fifth service indication information, wherein the The third network slice indication information is used to indicate a third network slice, and the fifth service indication information is used to indicate that the terminal device requests a fifth service executed on the third network slice;

当所述第二网络切片包含所述第三网络切片，且所述第四业务包含所述第五业务时，接受所述第三会话建立请求，否则，拒绝所述第三会话建立请求。When the second network slice includes the third network slice and the fourth service includes the fifth service, accept the third session establishment request; otherwise, reject the third session establishment request.
根据权利要求2至7任一项所述的方法，其特征在于，第二请求还包括以下至少一项：The method according to any one of claims 2 to 7, wherein the second request further includes at least one of the following:

第一指示信息、第二指示信息，the first indication information, the second indication information,

其中，所述第一指示信息用于指示需要对所述终端设备是否能够实现所述第一业务进行认证，所述第二指示信息用于指示执行认证处理的通信设备。Wherein, the first indication information is used to indicate that whether the terminal device can implement the first service needs to be authenticated, and the second indication information is used to indicate the communication device performing the authentication process.
根据权利要求1至8任一项所述的方法，其特征在于，当所述第一通信设备为AMF 或SMF时，在向第二通信设备发送第一请求之前，所述方法还包括：The method according to any one of claims 1 to 8, wherein when the first communication device is AMF or SMF, before sending the first request to the second communication device, the method further comprises:

根据所述第一业务指示信息，确定所述第二通信设备；其中，所述第二通信设备为AUSF、NSSAAF、UDM或所述移动通信***之外的AAA服务器中的至少一项。The second communication device is determined according to the first service indication information; wherein, the second communication device is at least one of AUSF, NSSAAF, UDM, or an AAA server outside the mobile communication system.
根据权利要求1至9任一项所述的方法，其特征在于，当所述第一通信设备为AMF或SMF时，在接收来自所述第二通信设备的第一响应之后，所述方法还包括：The method according to any one of claims 1 to 9, wherein when the first communication device is AMF or SMF, after receiving the first response from the second communication device, the method further include:

根据所述认证结果，向所述终端设备发送第三消息；其中，所述第三消息包含以下至少一项：Sending a third message to the terminal device according to the authentication result; wherein the third message includes at least one of the following:

用于指示所述终端设备能够实现的业务的第六业务指示信息；Sixth service indication information used to indicate the services that the terminal device can implement;

用于指示所述终端设备不能实现的业务的第七业务指示信息；seventh service indication information used to indicate services that the terminal device cannot implement;

用于指示所述终端设备能够接入的网络切片的第四网络切片指示信息，以及用于指示在所述网络切片上所述终端设备能够实现的业务的第八业务指示信息；Fourth network slice indication information for indicating a network slice that the terminal device can access, and eighth service indication information for indicating a service that the terminal device can implement on the network slice;

用于指示所述终端设备能够接入的网络切片的第五网络切片指示信息，以及用于指示在所述网络切片上所述终端设备不能够实现的业务的第九业务指示信息；Fifth network slice indication information for indicating a network slice that the terminal device can access, and ninth service indication information for indicating a service that the terminal device cannot implement on the network slice;

用于指示所述终端设备不能接入的网络切片的第六网络切片指示信息，以及用于指示在所述网络切片上所述终端设备请求的业务的第十业务指示信息。Sixth network slice indication information used to indicate a network slice that the terminal device cannot access, and tenth service indication information used to indicate a service requested by the terminal device on the network slice.
根据权利要求1至10任一项所述的方法，其特征在于，当所述第一通信设备为AMF时，在接收来自所述第二通信设备的第一响应之后，所述方法还包括：The method according to any one of claims 1 to 10, wherein when the first communication device is an AMF, after receiving the first response from the second communication device, the method further comprises:

向所述终端设备发送第四消息；其中，所述第四消息用于触发所述终端设备根据本地存储的认证信息，对所述终端设备是否能在所述移动通信***中实现所述第一业务进行认证，所述认证信息包括业务的认证信息。sending a fourth message to the terminal device; wherein the fourth message is used to trigger the terminal device to check whether the terminal device can implement the first The service is authenticated, and the authentication information includes the authentication information of the service.
根据权利要求1至11任一项所述的方法，其特征在于，所述第一业务指示信息包括以下至少一项：The method according to any one of claims 1 to 11, wherein the first service indication information includes at least one of the following:

所述第一业务的标识、所述第一业务的类型的指示信息、所述第一业务的提供商的指示信息。The identifier of the first service, the indication information of the type of the first service, and the indication information of the provider of the first service.
一种通信方法，其特征在于，应用于第二通信设备，所述方法包括：A communication method, characterized in that it is applied to a second communication device, the method comprising:

接收来自移动通信***中的第一通信设备的第一请求；其中，所述第一请求包括第一业务指示信息，所述第一业务指示信息用于指示终端设备请求的第一业务，所述第一请求用于请求对终端设备是否能够实现所述第一业务进行认证；receiving a first request from a first communication device in a mobile communication system; wherein, the first request includes first service indication information, and the first service indication information is used to indicate a first service requested by a terminal device, the The first request is used to request authentication on whether the terminal device can implement the first service;

对所述终端设备是否能够实现所述第一业务进行认证；Authenticating whether the terminal device can implement the first service;

向所述第一通信设备发送第一响应；其中，所述第一响应包括所述第二通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的第一认证结果，所述第一认证结果用于所述第一通信设备确定是否为所述终端设备提供所述第一业务。sending a first response to the first communication device; wherein the first response includes a first authentication result obtained by the second communication device authenticating whether the terminal device can implement the first service, the The first authentication result is used by the first communication device to determine whether to provide the first service for the terminal device.
根据权利要求13所述的方法，其特征在于，所述对所述终端设备是否能够实现所述第一业务进行认证，包括：The method according to claim 13, wherein the authenticating whether the terminal device can realize the first service comprises:

向第四通信设备发送第五请求；其中，所述第五请求包括：所述第一业务指示信息，所述第五请求用于请求所述第四通信设备对所述终端设备是否能够实现所述第一业务进行认证；Sending a fifth request to the fourth communication device; wherein, the fifth request includes: the first service indication information, and the fifth request is used to request the fourth communication device to determine whether the terminal device can implement the The above-mentioned first service is authenticated;

接收来自所述第四通信设备的第五响应；其中，所述第五响应包括第四通信设备对所述终端设备是否能够实现所述第一业务进行认证得到的第二认证结果；receiving a fifth response from the fourth communication device; wherein the fifth response includes a second authentication result obtained by the fourth communication device authenticating whether the terminal device can implement the first service;

根据所述第二认证结果，对所述终端设备是否能够实现所述第一业务进行认证，得到所述第一认证结果。Authenticating whether the terminal device can implement the first service according to the second authentication result, to obtain the first authentication result.
根据权利要求13所述的方法，其特征在于，The method according to claim 13, characterized in that,

所述第一请求还包括：第一网络切片指示信息，所述第一网络切片指示信息用于指示所述终端设备请求接入的第一网络切片；The first request further includes: first network slice indication information, where the first network slice indication information is used to indicate the first network slice that the terminal device requests to access;

对所述终端设备是否能够实现所述第一业务进行认证，包括：对所述终端设备是否能在所述第一网络切片上实现所述第一业务进行认证；Authenticating whether the terminal device can implement the first service includes: authenticating whether the terminal device can implement the first service on the first network slice;

所述第一认证结果为所述第二通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证得到的。The first authentication result is obtained by the second communication device authenticating whether the terminal device can implement the first service on the first network slice.
根据权利要求15所述的方法，其特征在于，所述对所述终端设备是否能够实现所述第一业务进行认证，包括：The method according to claim 15, wherein the authenticating whether the terminal device can realize the first service comprises:

向第四通信设备发送第六请求；其中，所述第六请求包括：所述第一网络切片指示信息和所述第一业务指示信息，所述第六请求用于请求所述第四通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证；Send a sixth request to the fourth communication device; wherein the sixth request includes: the first network slice indication information and the first service indication information, and the sixth request is used to request the fourth communication device Authenticating whether the terminal device can implement the first service on the first network slice;

接收来自所述第四通信设备的第六响应；其中，所述第六响应包括第四通信设备对所述终端设备是否能够在所述第一网络切片上实现所述第一业务进行认证得到的第二认证结果；receiving a sixth response from the fourth communication device; wherein the sixth response includes a result obtained by the fourth communication device from authenticating whether the terminal device can implement the first service on the first network slice Second certification result;

根据所述第二认证结果，对所述终端设备是否能够实现所述第一业务进行认证，得到所述第一认证结果。Authenticating whether the terminal device can implement the first service according to the second authentication result, to obtain the first authentication result.
根据权利要求14或16所述的方法，其特征在于，The method according to claim 14 or 16, characterized in that,

所述第二通信设备为认证服务器功能AUSF，所述第四通信设备为UDM；或者The second communication device is an authentication server function AUSF, and the fourth communication device is a UDM; or

所述第二通信设备为网络切片选择的认证和授权功能NSSAAF，所述第四通信设备为所述移动通信***之外的认证授权计费AAA服务器。The second communication device is an authentication and authorization function NSSAAF selected by a network slice, and the fourth communication device is an authentication, authorization and accounting AAA server outside the mobile communication system.
根据权利要求13至17任一项所述的方法，其特征在于，所述对所述终端设备是否能够实现所述第一业务进行认证，还包括：The method according to any one of claims 13 to 17, wherein the authenticating whether the terminal device can realize the first service further includes:

根据本地存储的认证信息，对所述终端设备是否能在所述移动通信***中实现所述第一业务进行认证，所述认证信息包括业务的认证信息。Authenticate whether the terminal device can implement the first service in the mobile communication system according to locally stored authentication information, where the authentication information includes service authentication information.
根据权利要求13至18任一项所述的方法，其特征在于，所述第一业务指示信息包括以下至少一项：The method according to any one of claims 13 to 18, wherein the first service indication information includes at least one of the following:

所述第一业务的标识、所述第一业务的类型的指示信息、所述第一业务的提供商的指示信息。The identifier of the first service, the indication information of the type of the first service, and the indication information of the provider of the first service.
一种通信装置，应用于第一通信设备，其特征在于，包括：A communication device applied to a first communication device, characterized in that it includes:

通信单元，用于接收和发送数据；a communication unit for receiving and sending data;

处理单元，用于通过所述通信单元，执行如权利要求1-12任一项所述的方法。A processing unit, configured to execute the method according to any one of claims 1-12 through the communication unit.
一种通信装置，应用于第二通信设备，其特征在于，包括：A communication device applied to a second communication device, characterized in that it includes:

通信单元，用于接收和发送数据；a communication unit for receiving and sending data;

处理单元，用于通过所述通信单元，执行如权利要求13-19任一项所述的方法。A processing unit, configured to execute the method according to any one of claims 13-19 through the communication unit.
一种通信***，其特征在于，包括：A communication system, characterized in that it includes:

第一通信设备，用于实现如权利要求1-12任一项所述的方法；A first communication device, configured to implement the method according to any one of claims 1-12;

第二通信设备，用于实现如权利要求13-19任一项所述的方法。The second communication device is configured to implement the method according to any one of claims 13-19.
一种计算机可读存储介质，其特征在于，所述计算机可读存储介质中存储有计算机程序，当所述计算机程序在计算机上运行时，使得所述计算机执行权利要求1-19任一项所述的方法。A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, and when the computer program is run on a computer, the computer is made to execute the computer program described in any one of claims 1-19. described method.
一种芯片，其特征在于，所述芯片与存储器耦合，所述芯片读取所述存储器中存储的计算机程序，执行权利要求1-19任一项所述的方法。A chip, characterized in that the chip is coupled to a memory, and the chip reads a computer program stored in the memory to execute the method according to any one of claims 1-19.